Maintaining a local backup for data plane processes

ABSTRACT

The present invention provides a computer system having a control process and a device driver process that is in communication with the control process, and a local back-up process, independent of both the control process and the device driver process. The local back-up process facilitates recovery of the device driver process. In one aspect of the invention, the computer system is a network device that includes a control plane and a data plan. The control plane includes a control process, and the data plane includes a device driver process. A local back-up process, independent of both the control process and the device driver process, facilitates recovery of the device driver process if the device driver process is terminated.

BACKGROUND

The majority of Internet outages are directly attributable to softwareupgrade issues and software quality in general. Mitigation of networkdowntime is a constant battle for service providers. In pursuit of “five9's availability” or 99.999% network up time, service providers mustminimize network outages due to equipment (i.e., hardware) and all toocommon software failures. Service providers not only incur downtime dueto failures, but also incur downtime for upgrades to deploy new orimproved software, hardware, software or hardware fixes or patches thatare needed to deal with current network problems. A network outage canalso occur after an upgrade has been installed if the upgrade itselfincludes undetected problems (i.e., bugs) or if the upgrade causes othersoftware or hardware to have problems. Data merging, data conversion anduntested compatibilities contribute to downtime. Upgrades often resultin data loss due to incompatibilities with data file formats. Downtimemay occur unexpectedly days after an upgrade due to lurking software orhardware incompatibilities. Often, the upgrade of one process results inthe failure of another process. This is often referred to as regression.Sometimes one change can cause several other components to fail; this isoften called the “ripple” effect. To avoid compatibility problems,multiple versions (upgraded and not upgraded versions) of the samesoftware are not executed at the same time.

Most computer systems are based on inflexible, monolithic softwarearchitectures that consist of one massive program or a single image.Though the program includes many sub-programs or applications, when theprogram is linked, all the subprograms are resolved into one image.Monolithic software architectures are chosen because writing subprogramsis simplified since the locations of all other subprograms are known andstraightforward function calls between subprograms can be used.Unfortunately, the data and code within the image is static and cannotbe changed without changing the entire image. Such a change is termed anupgrade and requires creating a new monolithic image including thechanges and then rebooting the computer to cause it to use the new.Thus, to upgrade, patch or modify the program requires that the entirecomputer system be shut down and rebooted. Shutting down a networkrouter or switch immediately affects the network up time or“availability”. To minimize the number of reboots required for softwareupgrades and, consequently, the amount of network down time, newsoftware releases to customers are often limited to a few times a yearat best. In some cases, only a single release per year is feasible. Inaddition, new software releases are also limited to a few times a yeardue to the amount of testing required to release a new monolithicsoftware program. As the size and complexity of the program grows, theamount of time required to test and the size of the regress matrix usedto test the software also grows. Forcing more releases each year maynegatively affect software quality as all bugs may not be detected. Ifthe software is not fully tested and a bug is not detected—or even afterextensive testing a bug is not discovered—and the network device isrebooted with the new software, more network down time may beexperienced if the device crashes due to the bug or the device causesother devices on the network to have problems and it and other devicesmust be brought down again for repair or another upgrade to fix the bug.In addition, after each software release, the size of the monolithicimage increases leading to a longer reboot time. Moreover, a monolithicimage requires contiguous memory space, and thus, the computer system'sfinite memory resources will limit the size of the image.

Unfortunately, limiting the number of software releases also delays therelease of new hardware. New hardware modules, usually ready to shipbetween “major” software releases, cannot be shipped more than a fewtimes a year since the release of the hardware must be coordinated withthe release of new software designed to upgrade the monolithic softwarearchitecture to run the new hardware.

An additional and perhaps less obvious issue faced by customers isencountered when customers need to scale and enhance their networks.Typically, new and faster hardware is added to increase bandwidth or addcomputing power to an existing network. Under a monolithic softwaremodel, since customers are often unwilling to run different softwarerevisions in each network element, customers are forced to upgrade theentire network. This may require shutting down and rebooting eachnetwork device.

“Dynamic loading” is one method used to address some of the problemsencountered with upgrading monolithic software. The core or kernelsoftware is loaded on power-up but the dynamic loading architectureallows each application to be loaded only when requested. In somesituations, instances of these software applications may be upgradedwithout having to upgrade the kernel and without having to reboot thesystem (“hot upgrade”). Unfortunately, much of the data and coderequired to support basic system services, for example, event loggingand configuration remain static in the kernel. Application programinterface (API) dependencies between dynamically loaded softwareapplications and kernel resident software further complicate upgradeoperations. Consequently, many application fixes or improvements and newhardware releases, require changes to the kernel code which—similar tomonolithic software changes—requires updating the kernel and shuttingdown and rebooting the computer.

In addition, processes in monolithic images and those which aredynamically loadable typically use a flat (shared) memory spaceprogramming model. If a process fails, it may corrupt memory used byother processes. Detecting and fixing corrupt memory is difficult and,in many instances, impossible. As a result, to avoid the potential formemory corruption errors, when a single process fails, the computersystem is often rebooted.

All of these problems impede the advancement of networks—a situationthat is completely incongruous with the accelerated need and growth ofnetworks today.

SUMMARY OF THE INVENTION

The present invention provides a computer system having a controlprocess and a device driver process in communication with the controlprocess. The computer system further includes a local back-up processfor facilitating recovery of the device driver process if the devicedriver process is terminated. The local back-up is independent of boththe device driver process and the control process.

In one aspect, the device driver and the local back-up processcommunicate through a check-pointing procedure. The computer system canalso include a remote back-up process for facilitating recovery of thecontrol application, where the local back-up is independent of both thedevice driver process and the control process.

In a related aspect, the invention provides a network device having acontrol plane and a data plane. The control plane includes a controlprocess for establishing and terminating network connections. The dataplane includes a device driver process for transmitting data overnetwork connections established by the control process. The networkdevice further includes a local back-up process for facilitatingrecovery of the device driver process if the device driver process isterminated. The local back-up process is independent of both the controlprocess and the device driver process.

In another aspect, the local back-up process and the device driverprocess of the network device communicate through a check-pointingprocedure to allow the local back-up process to store certain stateinformation representing the active state of the device driver process.

The network device can further include a remote back-up process forfacilitating recovery of the control application if the controlapplication is terminated, where the local back-up process isindependent of both the device driver process and the control process.

The control process can be an Asynchronous Transfer Mode application,and device driver can be an Asynchronous Transfer Mode drivercorresponding to the Asynchronous Transfer Mode application.Alternatively, the control process can be a Multi-Protocol LabelSwitching application, and the device driver can be a Multi-ProtocolLabel Switching driver corresponding to the Multi-Protocol LabelSwitching application. Further, the control process can be an InternetProtocol application, and the device driver can be an Internet Protocoldriver corresponding to the Internet Protocol application; or thecontrol process can be a Frame Relay application and the device drivercan be a Frame Relay driver corresponding to the Frame Relayapplication.

The invention further provides a method for operating a network device.The method calls for establishing and terminating network connectionsthrough a modular control process within a control plane. Data istransmitted over network connections established by the control processthrough a modular device driver process within a data plane, and activestate information is communicated between the device driver process anda local back-up process.

The method can further include the steps of terminating the devicedriver process, restarting the device driver process, and communicatingback-up state information stored by the local back-up process to therestarted device driver process to facilitate recovery of the devicedriver process. In addition, the method can include a step of continuingto establish and terminate network connections through the controlprocess when the device driver process is terminated and restarted.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computer system with a distributedprocessing system;

FIG. 2 is a block diagram of a logical system model;

FIG. 3 is a flow diagram illustrating a method for generating views anddatabase data definition language files from a logical system model;

FIG. 4 is a flow diagram illustrating a method for allowing applicationsto view data within a database;

FIGS. 5 and 8 are block and flow diagrams of a computer systemincorporating a modular system architecture and illustrating a methodfor accomplishing hardware inventory and setup;

FIGS. 6, 7, 10, 11 a, 11 b, 12, 13 and 14 are tables representing datain a configuration database;

FIG. 9 is a block and flow diagram of a computer system incorporating amodular system architecture and illustrating a method for configuringthe computer system using a network management system;

FIG. 15 is a block and flow diagram of a line card and a method forexecuting multiple instances of processes;

FIGS. 16a-16 b are flow diagrams illustrating a method for assigninglogical names for inter-process communications;

FIG. 16c is a block and flow diagram of a computer system incorporatinga modular system architecture and illustrating a method for usinglogical names for inter-process communications;

FIG. 16d is a chart representing a message format;

FIGS. 17-19 are block and flow diagrams of a computer systemincorporating a modular system architecture and illustrating methods formaking configuration changes;

FIG. 20 is a block and flow diagram of a computer system incorporating amodular system architecture and illustrating a method for distributinglogical model changes to users;

FIG. 21 is a block and flow diagram of a computer system incorporating amodular system architecture and illustrating a method for making aprocess upgrade;

FIG. 22 is a block diagram representing a revision numbering scheme;

FIG. 23 is a block and flow diagram of a computer system incorporating amodular system architecture and illustrating a method for making adevice driver upgrade;

FIG. 24 is a block diagram representing processes within separateprotected memory blocks;

FIG. 25 is a block and flow diagram of a line card and a method foraccomplishing vertical fault isolation;

FIG. 26 is a block and flow diagram of a computer system incorporating ahierarchical and configurable fault management system and illustrating amethod for accomplishing fault escalation.

FIG. 27 is a block diagram of an application having multiplesub-processes;

FIG. 28 is a block diagram of a hierarchical fault descriptor;

FIG. 29 is a block and flow diagram of a computer system incorporating adistributed redundancy architecture and illustrating a method foraccomplishing distributed software redundancy;

FIG. 30 is a table representing data in a configuration database;

FIGS. 31a-31 c, 32 a-32 c, 33 a-33 d and 34 a-34 b are block and flowdiagrams of a computer system incorporating a distributed redundancyarchitecture and illustrating methods for accomplishing distributedredundancy and recovery after a failure;

FIG. 35 is a block diagram of a network device;

FIG. 36 is a block diagram of a portion of a data plane of a networkdevice;

FIG. 37 is a block and flow diagram of a network device incorporating apolicy provisioning manager; and

FIGS. 38 and 39 are tables representing data in a configurationdatabase.

DETAILED DESCRIPTION

A modular software architecture solves some of the more common scenariosseen in existing architectures when software is upgraded or new featuresare deployed. Software modularity involves functionally dividing asoftware system into individual modules or processes, which are thendesigned and implemented independently. Inter-process communication(IPC) between the modules is carried out through message passing inaccordance with well-defined application programming interfaces (APIs).A protected memory feature also helps enforce the separation of modules.Modules are compiled and linked as separate programs, and each programruns in its own protected memory space. In addition, each program isaddressed with an abstract communication handle, or logical name. Thelogical name is location-independent; it can live on any card in thesystem. The logical name is resolved to a physical card/process duringcommunication. If, for example, a backup process takes over for a failedprimary process, it assumes ownership of the logical name and registersits name to allow other processes to re-resolve the logical name to thenew physical card/process. Once complete, the processes continue tocommunicate with the same logical name, unaware of the fact that aswitchover just occurred.

Like certain existing architectures, the modular software architecturedynamically loads applications as needed. Beyond prior architectures,however, the modular software architecture removes significantapplication dependent data from the kernel and minimizes the linkbetween software and hardware. Instead, under the modular softwarearchitecture, the applications themselves gather necessary information(i.e., metadata) from a variety of sources, for example, text files,JAVA class files and database views. Metadata facilitates customizationof the execution behavior of software processes without modifying theoperating system software image. A modular software architecture makeswriting applications—especially distributed applications—more difficult,but metadata provides seamless extensibility allowing new softwareprocesses to be added and existing software processes to be upgraded ordowngraded while the operating system is running. In one embodiment, thekernel includes operating system software, standard system servicessoftware and modular system services software. Even portions of thekernel may be hot upgraded under certain circumstances. Examples ofmetadata include, customization text files used by software devicedrivers; JAVA class files that are dynamically instantiated usingreflection; registration and deregistration protocols that enable theaddition and deletion of software services without system disruption;and database view definitions that provide many varied views of thelogical system model. Each of these and other examples are describedbelow.

The embodiment described below includes a network computer system with aloosely coupled distributed processing system. It should be understood,however, that the computer system could also be a central processingsystem or a combination of distributed and central processing and eitherloosely or tightly coupled. In addition, the computer system describedbelow is a network switch for use in, for example, the Internet, widearea networks (WAN) or local area networks (LAN). It should beunderstood, however, that the modular software architecture can beimplemented on any network device (including routers) or other types ofcomputer systems and is not restricted to a network device.

A distributed processing system is a collection of independent computersthat appear to the user of the system as a single computer. Referring toFIG. 1, computer system 10 includes a centralized processor 12 with acontrol processor subsystem 14 that executes an instance of the kernel20 including master control programs and server programs to activelycontrol system operation by performing a major portion of the controlfunctions (e.g., booting and system management) for the system. Inaddition, computer system 10 includes multiple line cards 16 a-16 n.Each line card includes a control processor subsystem 18 a-18 n, whichruns an instance of the kernel 22 a-22 n including slave and clientprograms as well as line card specific software applications. Eachcontrol processor subsystem 14, 18 a-18 n operates in an autonomousfashion but the software presents computer system 10 to the user as asingle computer.

Each control processor subsystem includes a processor integrated circuit(chip) 24, 26 a-26 n, for example, a Motorola 8260 or an Intel Pentiumprocessor. The control processor subsystem also includes a memorysubsystem 28, 30 a-30 n including a combination of non-volatile orpersistent (e.g., PROM and flash memory) and volatile (e.g., SRAM andDRAM) memory components. Computer system 10 also includes an internalcommunication bus 32 connected to each processor 24, 26 a-26 n. In oneembodiment, the communication bus is a switched Fast Ethernet providing100 Mb of dedicated bandwidth to each processor allowing the distributedprocessors to exchange control information at high frequencies. A backupor redundant Ethernet switch may also be connected to each board suchthat if the primary Ethernet switch fails, the boards can fail-over tothe backup Ethernet switch.

In this example, Ethernet 32 provides an out-of-band control path,meaning that control information passes over Ethernet 32 but the networkdata being switched by computer system 10 passes to and from externalnetwork connections 31 a-31 xx over a separate data path 34. Externalnetwork control data is passed from the line cards to the centralprocessor over Ethernet 32. This external network control data is alsoassigned the highest priority when passed over the Ethernet to ensurethat it is not dropped during periods of heavy traffic on the Ethernet.

In addition, another bus 33 is provided for low level system serviceoperations, including, for example, the detection of newly installed (orremoved) hardware, reset and interrupt control and real time clock (RTC)synchronization across the system, In one embodiment, this is anInter-IC communications (I²C) bus.

Alternatively, the control and data may be passed over one common path(in-band).

Logical System Model:

Referring to FIG. 2, a logical system model 280 is created using theUnified Modeling Language (UML). A managed device 282 represents the toplevel system connected to models representing both hardware 284 andsoftware applications 286. Hardware model 284 includes modelsrepresenting specific pieces of hardware, for example, chassis 288,shelf 290, slot 292 and printed circuit board 294. The logical model iscapable of showing containment, that is, typically, there are manyshelves per chassis (1:N), many slots per shelf (1:N) and one board perslot (1:1). Shelf 290 is a parent class having multiple shelf models,including various functional shelves 296 a-296 n as well as one or moresystem shelves, for example, for fans 298 and power 300. Board 294 isalso a parent class having multiple board models, including variousfunctional boards without ports 302 a-302 n (e.g., central processor 12,FIG. 1) and various functional boards with ports 304 a-304 n (e.g., linecards 16 a-16 n, FIG. 1). Hardware model 284 also includes a model forboards with ports 306 coupled to the models for functional boards withports and a port model 308. Port model 308 is coupled to one or morespecific port models, for example, synchronous optical network (SONET)protocol port 310, and a physical service endpoint model 312.

Hardware model 284 includes models for all hardware that may beavailable on computer system 10 (FIG. 1). All shelves and slots may notbe populated. In addition, there may be multiple chasses. It should beunderstood that SONET port 310 is an example of one type of port thatmay be supported by computer system 10. A model is created for each typeof port available on computer system 10, including, for example,Ethernet, Dense Wavelength Division Multiplexing (DWDM) or DigitalSignal, Level 3 (DS3). The Network Management Software (NMS, describedbelow) uses the hardware model to display a graphical picture ofcomputer system 10 to a user.

Service endpoint model 314 spans the software and hardware models withinlogical model 280. It is a parent class including a physical serviceendpoint model 312 and a logical service endpoint model 316.

Software model 286 includes models for each of the software processes(e.g., applications, device drivers, system services) available oncomputer system 10. All applications and device drivers may not be usedon computer system 10. As one example, ATM model 318 is shown. It shouldbe understood that software model 286 may also include models for otherapplications, for example, Internet Protocol (IP) applications andMulti-Protocol Label Switching (MPLS) applications. Models of otherprocesses (e.g., device drivers and system services) are not shown forconvenience. For each process, models of configurable objects managed bythose processes are also created. For example, models of ATMconfigurable objects are coupled to ATM model 318, including models fora soft permanent virtual path 320, a soft permanent virtual circuit 321,a switch address 322, a cross-connection 323, a permanent virtual pathcross-connection 324, a permanent virtual circuit cross-connection 325,a virtual ATM interface 326, a virtual path link 327, a virtual circuitlink 328, logging 329, an ILMI reference 330, PNNI 331, a trafficdescriptor 332, an ATM interface 333 and logical service endpoint 316.As described above, logical service endpoint model 316 is coupled toservice endpoint model 314. It is also coupled to ATM interface model333.

The UML logical model is layered on the physical computer system to adda layer of abstraction between the physical system and the softwareapplications. Adding or removing known (i.e., not new) hardware fromcomputer system 10 will not require changes to the logical model or thesoftware applications. However, changes to the physical system, forexample, adding a new type of board, will require changes to the logicalmodel. In addition, the logical model is modified when new or upgradedprocesses are created. Changes to the logical model will likely requirechanges to most, if not all, existing software applications, andmultiple versions of the same software processes (e.g., upgraded andolder) are not supported by the same logical model.

To decouple software processes from the logical model—as well as thephysical system—another layer of abstraction is added in the form ofviews. A view is a logical slice of the logical model and defines aparticular set of data within the logical model to which an associatedprocess has access. Views allow multiple versions of the same process tobe supported by the same logical model since each view limits the datathat a corresponding process “views” or has access to, to the datarelevant to the version of that process. Similarly, views allow multipledifferent processes to use the same logical model.

Referring to FIG. 3, UML logical model 280 is used as input to a codegenerator 336. The code generator creates a view identification (id) andan application programming interface (API) 338 for each process thatwill require configuration data. For example, a view id and an API maybe created for each ATM application 339 a-339 n, each SONET application340 a-340 n, each MPLS application 341 a-341 n and each IP application342 a-342 n. In addition, a view id and API will also be created foreach device driver process, for example, device drivers 343 a-343 n, andfor modular system services (MSS) 345 a-345 n (described below), forexample, a Master Control Driver (MCD), a System Resiliency Manager(SRM), and a Software Management System (SMS). The code generatorprovides data consistency across processes, centralized tuning and anabstraction of embedded configuration and NMS databases (describedbelow) ensuring that changes to their database schema do not affectexisting processes.

The code generator also creates a data definition language (DDL) file344 including structured query language (SQL) commands used to constructvarious tables and views within a configuration database 346 (describedbelow) and a DDL file 348 including SQL commands used to constructvarious tables and views within a network management (NMS) database 350(described below). This is also referred to as converting the UMLlogical model into a database schema and various views look atparticular portions of that schema within the database. If the samedatabase software is used for both the configuration and NMS databases,then one DDL file may be used for both. The databases do not have to begenerated from a UML model for views to work. Instead, database filescan be supplied directly without having to generate them using the codegenerator.

Prior to shipping computer system 10 to customers, a software buildprocess is initiated to establish the software architecture andprocesses. The code generator is part of this process. Each process whenpulled into the build process links the associated view id and API intoits image. When the computer system is powered-up, as described below,configuration database software will use DDL file 344 to populate aconfiguration database 346. The computer system will send DDL file 348to the NMS such that NMS database software can use it to populate an NMSdatabase 350. Memory and storage space within network devices istypically very limited. The configuration database software is robustand takes a considerable amount of these limited resources but providesmany advantages as described below.

Referring to FIG. 4, applications 352 a-352 n each have an associatedview 354 a-354 n of configuration database 42. The views may be similarallowing each application to view similar data within configurationdatabase 42. For example, each application may be ATM version 1.0 andeach view may be ATM view version 1.3. Instead, the applications andviews may be different versions. For example, application 352 a may beATM version 1.0 and view 354 a may be ATM view version 1.3 whileapplication 352 b is ATM version 1.7 and view 354 b is ATM view version1.5. A later version, for example, ATM version 1.7, of the sameapplication may represent an upgrade of that application and itscorresponding view allows the upgraded application access only to datarelevant to the upgraded version and not data relevant to the olderversion. If the upgraded version of the application uses the sameconfiguration data as an older version, then the view version may be thesame for both applications. In addition, application 352 n may representa completely different type of application, for example, MPLS, and view354 n allows it to have access to data relevant to MPLS and not ATM orany other application. Consequently, through the use of database views,different versions of the same software applications and different typesof software applications may be executed on computer system 10simultaneously.

Views also allow the logical model and physical system to be changed,evolved and grown to support new applications and hardware withouthaving to change existing applications. In addition, softwareapplications may be upgraded and downgraded independent of each otherand without having to re-boot computer system 10. For example, aftercomputer system 10 is shipped to a customer, changes may be made tohardware or software. For instance, a new version of an application, forexample, ATM version 2.0, may be created or new hardware may be releasedrequiring a new or upgraded device driver process. To make this a newprocess and/or hardware available to the user of computer system 10,first the software image including the new process must be re-built.

Referring again to FIG. 3, logical model 280 is changed (280′) toinclude models representing the new software and/or hardware. Codegenerator 336 then uses new logical model 280′ to re-generate view idsand APIs 338′ for each application, including, for example, ATM versiontwo 360 and device driver 362, and DDL files 344′ and 348′. The newapplication(s) and/or device driver(s) processes then bind to the newview ids and APIs. A copy of the new application(s) and/or device driverprocess as well as the new DDL files and any new hardware are sent tothe user of computer system 10. The user can then download the newsoftware and plug the new hardware into computer system 10. The upgradeprocess is described in more detail below.

Power-Up:

Referring again to FIG. 1, on power-up, reset or reboot, the processoron each board (central processor and each line card) downloads andexecutes boot-strap code (i.e., minimal instances of the kernelsoftware) and power-up diagnostic test code from its local memorysubsystem. After passing the power-up tests, processor 24 on centralprocessor 12 then downloads kernel software 20 from persistent storage21 into non-persistent memory in memory subsystem 28. Kernel software 20includes operating system (OS), system services (SS) and modular systemservices (MSS).

In one embodiment, the operating system software and system servicessoftware are the OSE operating system and system services from Enea OSESystems, Inc. in Dallas, Tex. The OSE operating system is a pre-emptivemulti-tasking operating system that provides a set of services thattogether support the development of distributed applications (i.e.,dynamic loading). The OSE approach uses a layered architecture thatbuilds a high level set of services around kernel primitives. Theoperating system, system services, and modular system services providesupport for the creation and management of processes; inter-processcommunication (IPC) through a process-to-process messaging model;standard semaphore creation and manipulation services; the ability tolocate and communicate with a process regardless of its location in thesystem; the ability to determine when another process has terminated;and the ability to locate the provider of a service by name.

These services support the construction of a distributed system whereinapplications can be located by name and processes can use a single formof communication regardless of their location. By using these services,distributed applications may be designed to allow services totransparently move from one location to another such as during a failover.

The OSE operating system and system services provide a singleinter-process communications mechanism that allows processes tocommunicate regardless of their location in the system. OSE IPC differsfrom the traditional IPC model in that there are no explicit IPC queuesto be managed by the application. Instead each process is assigned aunique process identification that all IPC messages use. Because OSE IPCsupports inter-board communication the process identification includes apath component. Processes locate each other by performing an OSE Huntcall on the process identification. The Hunt call will return theProcess ID of the process that maps to the specified path/name.Inter-board communication is carried over some number of communicationlinks. Each link interface is assigned to an OSE Link Handler. The pathcomponent of a process path/name is the concatenation of the LinkHandler names that one must transverse in order to reach the process.

In addition, the OSE operating system includes memory management thatsupports a “protected memory model”. The protected memory modeldedicates a memory block (i.e., defined memory space) to each processand erects “walls” around each memory block to prevent access byprocesses outside the “wall”. This prevents one process from corruptingthe memory space used by another process. For example, a corruptsoftware memory pointer in a first process may incorrectly point to thememory space of a second processor and cause the first process tocorrupt the second processor's memory space. The protected memory modelprevents the first process with the corrupted memory pointer fromcorrupting the memory space or block assigned to the second process. Asa result, if a process fails, only the memory block assigned to thatprocess is assumed corrupted while the remaining memory space isconsidered uncorrupted.

The modular software architecture takes advantage of the isolationprovided to each process (e.g., device driver or application) by theprotected memory model. Because each process is assigned a unique orseparate protected memory block, processes may be started, upgraded orrestarted independently of other processes.

Referring to FIG. 5, the main modular system service that controls theoperation of computer system 10 is a System Resiliency Manager (SRM).Also within modular system services is a Master Control Driver (MCD)that learns the physical characteristics of the particular computersystem on which it is running, in this instance, computer system 10. TheMCD and the SRM are distributed applications. A master SRM 36 and amaster MCD 38 are executed by central processor 12 while slave SRMs 37a-37 n and slave MCDs 39 a-39 n are executed on each board (centralprocessor 12 and each line card 16 a-16 n). The SRM and MCD worktogether and use their assigned view ids and APIs to load theappropriate software drivers on each board and to configure computersystem 10.

Also within the modular system services is a configuration serviceprogram 35 that downloads a configuration database program 42 and itscorresponding DDL file from persistent storage into non-persistentmemory 40 on central processor 12. In one embodiment, configurationdatabase 42 is a Polyhedra database from Polyhedra, Inc. in the UnitedKingdom.

Hardware Inventory and Set-Up:

Master MCD 38 begins by taking a physical inventory of computer system10 (over the I²C bus) and assigning a unique physical identificationnumber (PID) to each item. Despite the name, the PID is a logical numberunrelated to any physical aspect of the component being numbered. In oneembodiment, pull-down/pull-up resistors on the chassis mid-plane providethe number space of Slot Identifiers. The master MCD may read a registerfor each slot that allows it to get the bit pattern produced by theseresistors. MCD 38 assigns a unique PID to the chassis, each shelf in thechassis, each slot in each shelf, each line card 16 a-16 n inserted ineach slot, and each port on each line card. (Other items or componentsmay also be inventoried.)

Typically, the number of line cards and ports on each line card in acomputer system is variable but the number of chasses, shelves and slotsis fixed. Consequently, a PID could be permanently assigned to thechassis, shelves and slots and stored in a file. To add flexibility,however, MCD 38 assigns a PID even to the chassis, shelves and slots toallow the modular software architecture to be ported to another computersystem with a different physical construction (i.e., multiple chassesand/or a different number of shelves and slots) without having to changethe PID numbering scheme.

Referring to FIGS. 5-7, for each line card 16 a-16 n in computer system10, MCD 38 communicates with a diagnostic program (DP) 40 a-40 n beingexecuted by the line card's processor to learn each card's type andversion. The diagnostic program reads a line card type and versionnumber out of persistent storage, for example, EPROM 42 a-42 n, andpasses this information to the MCD. For example, line cards 16 a and 16b could be cards that implement Asynchronous Transfer Mode (ATM)protocol over Synchronous Optical Network (SONET) protocol as indicatedby a particular card type, e.g., 0XF002, and line card 16 e could be acard that implements Internet Protocol (IP) over SONET as indicated by adifferent card type, e.g., 0XE002. In addition, line card 16 a could bea version three ATM over SONET card meaning that it includes four SONETports 44 a-44 d each of which may be connected to an external SONEToptical fiber that carries an OC-48 stream, as indicated by a particularport type 00620, while line card 16 b may be a version four ATM overSONET card meaning that it includes sixteen SONET ports 46 a-46 f eachof which carries an OC-3 stream as indicated by a particular port type,e.g., 00820. Other information is also passed to the MCD by the DP, forexample, diagnostic test pass/fail status. With this information, MCD 38creates card table (CT) 47 and port table (PT) 49 in configurationdatabase 42. As described below, the configuration database copies allchanges to an NMS database. If the MCD cannot communicate with thediagnostic program to learn the card type and version number, then theMCD assumes the slot is empty.

Even after initial power-up, master MCD 38 will continue to takephysical inventories to determine if hardware has been added or removedfrom computer system 10. For example, line cards may be added to emptyslots or removed from slots. When changes are detected, master MCD 38will update CT 47 and PT 49 accordingly.

For each line card 16 a-16 n, master MCD 38 searches a physical moduledescription (PMD) file 48 in memory 40 for a record that matches thecard type and version number retrieved from that line card. The PMD filemay include multiple files. The PMD file includes a table thatcorresponds card type and version number with name of the mission kernelimage executable file (MKI.exe) that needs to be loaded on that linecard. Once determined, master MCD 38 passes the name of each MKIexecutable file to master SRM 36. Master SRM 36 requests a bootserver(not shown) to download the MKI executable files 50 a-50 n frompersistent storage 21 into memory 40 (i.e., dynamic loading) and passeseach MKI executable file 50 a-50 n to a bootloader (not shown) runningon each board (central processor and each line card). The bootloadersexecute the received MKI executable file.

Once all the line cards are executing the appropriate MKI, slave MCDs 39a-39 n and slave SRMs 37 a-37 n on each line card need to downloaddevice driver software corresponding to the particular devices on eachcard. Referring to FIG. 8, slave MCDs 39 a-39 n search PMD file 48 inmemory 40 on central processor 12 for a match with their line card typeand version number. Just as the master MCD 36 found the name of the MKIexecutable file for each line card in the PMD file, each slave MCD 39a-39 n reads the PMD file to learn the names of all the device driverexecutable files associated with each line card type and version. Theslave MCDs provide these names to the slave SRMs on their boards. SlaveSRMs 37 a-37 n then download and execute the device driver executablefiles (DD.exe) 56 a-56 n from memory 40. As one example, one port devicedriver 43 a-43 d may be started for each port 44 a-44 d on line card 16a. The port driver and port are linked together through the assignedport PID number.

In order to understand the significance of the PMD file (i.e.,metadata), note that the MCD software does not have knowledge of boardtypes built into it. Instead, the MCD parameterizes its operations on aparticular board by looking up the card type and version number in thePMD file and acting accordingly. Consequently, the MCD software does notneed to be modified, rebuilt, tested and distributed with new hardware.The changes required in the software system infrastructure to supportnew hardware are simpler modify logical model 280 (FIG. 3) to include: anew entry in the PMD file (or a new PMD file) and, where necessary, newdevice drivers and applications. Because the MCD software, which residesin the kernel, will not need to be modified, the new applications anddevice drivers and the new DDL files (reflecting the new PMD file) forthe configuration database and NMS database are downloaded and upgraded(as described below) without re-booting the computer system.

Network Management System (NMS):

Referring to FIG. 9, a user of computer system 10 works with networkmanagement system (NMS) software 60 to configure computer system 10. Inthe embodiment described below, NMS 60 runs on a personal computer orworkstation 62 and communicates with central processor 12 over Ethernetnetwork 32 (out-of-band). Instead, the NMS may communicate with centralprocessor 12 over data path 34 (FIG. 1, in-band). Alternatively (or inaddition as a back-up communication port), a user may communicate withcomputer system 10 through a terminal connected to a serial line 66connecting to the data or control path using a command line interface(CLI) protocol. Instead, NMS 60 could run directly on computer system 10provided computer system 10 has an input mechanism for the user.

NMS 60 establishes an NMS database 61 on work station 62 using a DDLfile corresponding to the NMS database and downloaded from persistentstorage 21 in computer system 10. The NMS database mirrors theconfiguration database through an active query feature (describedbelow). In one embodiment, the NMS database is an Oracle database fromOracle Corporation in Boston, Mass. The NMS and central processor 12pass control and data over Ethernet 32 using, for example, the JavaDatabase Connectivity (JDBC) protocol. Use of the JDBC protocol allowsthe NMS to communicate with the configuration database in the samemanner that it communicates with its own internal storage mechanisms,including the NMS database. Changes made to the configuration databaseare passed to the NMS database to insure that both databases store thesame data. This synchronization process is much more efficient andtimely than older methods that require the NMS to periodically poll thenetwork device to determine whether configuration changes have beenmade. In these systems, NMS polling is unnecessary and wasteful if theconfiguration has not been changed. Additionally, if a configurationchange is made through some other means, for example, a command lineinterface, and not through the NMS, the NMS will not be updated untilthe next poll, and if the network device crashes prior to the NMS poll,then the configuration change will be lost. In computer system 10,however, command line interface changes made to configuration database42 are passed immediately to the NMS database through the active queryfeature ensuring that the NMS is immediately aware of any configurationchanges.

Typically, work station 62 is coupled to many network computer systems,and NMS 60 is used to configure and manage each of these systems. Inaddition to configuring each system, the NMS also interprets datagathered by each system relevant to each system's network accountingdata, statistics, and fault logging and presents this to the user.Instead of having the NMS interpret each system's data in the samefashion, flexibility is added by having each system send the NMS a JAVAclass file 410 indicating how its network data should be interpreted.Through the File Transfer Protocol (ftp), an accounting subsystemprocess 412 running on central processor 12 pushes a data summary file414 and a binary data file 416 to the NMS. The data summary fileindicates the name of the JAVA Class file the NMS should use tointerpret the binary data file. If the computer system has not alreadydone so, it pushes the class file to the NMS. JAVA Reflection is used toload the application class file and process the data in the binary datafile. As a result, a new class file can be added or updated on acomputer system without having to reboot the computer system or updatethe NMS. The computer system simply pushes the new class file to theNMS. In addition, the NMS can use different class files for eachcomputer system such that the data gathered on each system can beparticularized to each system.

Configuration:

As described above, unlike a monolithic software architecture which isdirectly linked to the hardware of the computer system on which it runs,a modular software architecture includes independent applications thatare significantly decoupled from the hardware through the use of alogical model of the computer system. Using the logical model, a view idand API are generated for each application to define each application'saccess to particular data in a configuration database. The configurationdatabase is established using a data definition language (DDL) file alsogenerated from the logical model. As a result, there is only a limitedconnection between the computer system's software and hardware, whichallows for multiple versions of the same application to run on thecomputer system simultaneously and different types of applications torun simultaneously on the computer system. In addition, while thecomputer system is running, application upgrades and downgrades may beexecuted without affecting other applications and new hardware andsoftware may be added to the system also without affecting otherapplications.

Referring again to FIG. 9, initially, NMS 60 reads card table 47 andport table 49 to determine what hardware is available in computer system10. The NMS assigns a logical identification number (LID) 98 (FIGS. 11aand 11 b) to each card and port and inserts these numbers in an LID toPID Card table (LPCT) 100 and an LID to PID Port table (LPPT) 101 inconfiguration database 42. Alternatively, the NMS could use the PIDpreviously assigned to each board by the MCD. However, to allow forhardware redundancy, the NMS assigns an LID and may associate the LIDwith at least two PIDs, a primary PID 102 and a backup PID 104. (LPCT100 may include multiple backup PID fields to allow more than one backupPID to be assigned to each primary PID.)

The user chooses the desired redundancy structure and instructs the NMSas to which boards are primary boards and which boards are backupboards. For example, the NMS may assign LID 30 to line card 16a—previously assigned PID 500 by the MCD—as a user defined primary card,and the NMS may assign LID 30 to line card 16 n—previously assigned PID513 by the MCD—as a user defined back-up card (see row 106, FIG. 11a).The NMS may also assign LID 40 to port 44 a—previously assigned PID 1500by the MCD—as a primary port, and the NMS may assign LID 40 to port 68a—previously assigned PID 1600 by the MCD—as a back-up port (see row107, FIG. 11b).

In a 1:1 redundant system, each backup line card backs-up only one otherline card and the NMS assigns a unique primary PID and a unique backupPID to each LID (no LIDs share the same PIDs). In a 1:N redundantsystem, each backup line card backs-up at least two other line cards andthe NMS assigns a different primary PID to each LID and the same backupPID to at least two LIDs. For example, if computer system 10 is a 1:Nredundant system, then one line card, for example, line card 16 n,serves as the hardware backup card for at least two other line cards,for example, line cards 16 a and 16 b. If the NMS assigns an LID of 31to line card 16 b, then in logical to physical card table 100 (see row109, FIG. 11a), the NMS associates LID 31 with primary PID 501 (linecard 16 b) and backup PID 513 (line card 16 n). As a result, backup PID513 (line card 16 n) is associated with both LID 30 and 31.

The logical to physical card table provides the user with maximumflexibility in choosing a redundancy structure. In the same computersystem, the user may provide full redundancy (1:1), partial redundancy(1:N), no redundancy or a combination of these redundancy structures.For example, a network manager (user) may have certain customers thatare willing to pay more to ensure their network availability, and theuser may provide a backup line card for each of that customer's primaryline cards (1:1). Other customers may be willing to pay for someredundancy but not full redundancy, and the user may provide one backupline card for all of that customer's primary line cards (1:N). Stillother customers may not need any redundancy, and the user will notprovide any backup line cards for that customer's primary line cards.For no redundancy, the NMS would leave the backup PID field in thelogical to physical table blank. Each of these customers may be servicedby separate computer systems or the same computer system. Redundancy isdiscussed in more detail below.

The NMS and MCD use the same numbering space for LIDs, PIDs and otherassigned numbers to ensure that the numbers are different (nocollisions).

The configuration database, for example, a Polyhedra database, supportsan “active query” feature. Through the active query feature, othersoftware applications can be notified of changes to configurationdatabase records in which they are interested. The NMS databaseestablishes an active query for all configuration database records toinsure it is updated with all changes. The master SRM establishes anactive query with configuration database 42 for LPCT 100 and LPPT 101.Consequently, when the NMS adds to or changes these tables,configuration database 42 sends a notification to the master SRM andincludes the change. In this example, configuration database 42 notifiesmaster SRM 36 that LID 30 has been assigned to PID 500 and 513 and LID31 has been assigned to PID 501 and 513. The master SRM then uses cardtable 47 to determine the physical location of boards associated withnew or changed LIDs and then tells the corresponding slave SRM of itsassigned LID(s). In the continuing example, master SRM reads CT 47 tolearn that PID 500 is line card 16 a, PID 501 is line card 16 b and PID513 is line card 16 n. The master SRM then notifies slave SRM 37 b online card 16 a that it has been assigned LID 30 and is a primary linecard, SRM 37 c on line card 16 b that it has been assigned LID 31 and isa primary line card and SRM 37 o on line card 16 n that it has beenassigned LIDs 30 and 31 and is a backup line card. All three slave SRMs37 b, 37 c and 37 o then set up active queries with configurationdatabase 42 to insure that they are notified of any software loadrecords (SLRs) created for their LIDs. A similar process is followed forthe LIDs assigned to each port.

The NMS informs the user of the hardware available in computer system10. This information may be provided as a text list, as a logicalpicture in a graphical user interface (GUI), or in a variety of otherformats. The user then tells the NMS how they want the systemconfigured.

The user will select which ports (e.g., 44 a-44 d, 46 a-46 f, 68 a-68 n)the NMS should enable. There may be instances where some ports are notcurrently needed and, therefore, not enabled. The user also needs toprovide the NMS with information about the type of network connection(e.g., connection 70 a-70 d, 72 a-72 f, 74 a-74 n). For example, theuser may want all ports 44 a-44 d on line card 16 a enabled to run ATMover SONET. The NMS may start one ATM application to control all fourports, or, for resiliency, the NMS may start one ATM application foreach port.

In the example given above, the user must also indicate the type ofSONET fiber they have connected to each port and what paths to expect.For example, the user may indicate that each port 44 a-44 d is connectedto a SONET optical fiber carrying an OC-48 stream. A channelized OC-48stream is capable of carrying forty-eight STS-1 paths, sixteen STS-3cpaths, four STS-12c paths or a combination of STS-1, STS-3c and STS-12cpaths. A clear channel OC-48c stream carries one concatenated STS-48path. In the example, the user may indicate that the network connectionto port 44 a is a clear channel OC-48 SONET stream having one STS-48path, the network connection to port 44 b is a channelized OC-48 SONETstream having three STS-12c paths (i.e., the SONET fiber is not at fullcapacity—more paths may be added later), the network connection to port44 c is a channelized OC-48 SONET stream having two STS-3c paths (not atfull capacity) and the network connection to port 44 d is a channelizedOC-48 SONET stream having three STS-12c paths (not at full capacity).

The NMS uses the information received from the user to create records inseveral tables in the configuration database, which are then copied tothe NMS database. These tables are accessed by other applications toconfigure computer system 10. One table, the service endpoint table(SET) 76 (see also FIG. 10), is created when the NMS assigns a uniqueservice endpoint number (SE) to each path on each enabled port andcorresponds each service endpoint number with the physicalidentification number (PID) previously assigned to each port by the MCD.Through the use of the logical to physical port table (LPPT), theservice endpoint number also corresponds to the logical identificationnumber (LID) of the port. For example, since the user indicated thatport 44 a (PID 1500) has a single STS-48 path, the NMS assigns oneservice endpoint number (e.g. SE 1, see row 78, FIG. 10). Similarly, theNMS assigns three service endpoint numbers (e.g., SE 2, 3, 4, see rows80-84) to port 44 b (PID 1501), two service endpoint numbers (e.g., SE5, 6, see rows 86, 88) to port 44 c (PID 1502) and three serviceendpoint numbers (e.g., SE 7, 8, 9, see rows 90, 92, 94) to port 44 d.

Service endpoint managers (SEMs) within the modular system services ofthe kernel software running on each line card use the service endpointnumbers assigned by the NMS to enable ports and to link instances ofapplications, for example, ATM, running on the line cards with thecorrect port. The kernel may start one SEM to handle all ports on oneline card, or, for resiliency, the kernel may start one SEM for eachparticular port. For example, SEMs 96 a-96 d are spawned toindependently control ports 44 a-44 d.

The service endpoint managers (SEMs) running on each board establishactive queries with the configuration database for SET 76. Thus, whenthe NMS changes or adds to the service endpoint table (SET), theconfiguration database sends the service endpoint manager associatedwith the port PID in the SET a change notification including informationon the change that was made. In the continuing example, configurationdatabase 42 notifies SEM 96 a that SET 76 has been changed and that SE 1was assigned to port 44 a (PID 1500). Configuration database 42 notifiesSEM 96 b that SE 2, 3, and 4 were assigned to port 44 b (PID 1501), SEM96 c that SE 5 and 6 were assigned to port 44 c (PID 1502) and SEM 96 dthat SE 7, 8, and 9 were assigned to port 44 d (PID 1503). When aservice endpoint is assigned to a port, the SEM associated with thatport passes the assigned SE number to the port driver for that portusing the port PID number associated with the SE number.

To load instances of software applications on the correct boards, theNMS creates software load records (SLR) 128 a-128 n in configurationdatabase 42. The SLR includes the name 130 (FIG. 14) of a control shimexecutable file and an LID 132 for cards on which the application mustbe spawned. In the continuing example, NMS 60 creates SLR 128 aincluding the executable name atm_cntrl.exe and card LID 30 (row 134).The configuration database detects LID 30 in SLR 128 a and sends slaveSRMs 37 b (line card 16 a) and 37 o (line card 16 n) a changenotification including the name of the executable file (e.g.,atm_cntrl.exe) to be loaded. The primary slave SRMs then download andexecute a copy of atm_cntrl.exe 135 from memory 40 to spawn the ATMcontrollers (e.g., ATM controller 136 on line card 16 a). Since slaveSRM 37 o is on backup line card 16 n, it may or may not spawn an ATMcontroller in backup mode. Software backup is described in more detailbelow. Instead of downloading a copy of atm_cntrl.exe 135 from memory40, a slave SRM may download it from another line card that alreadydownloaded a copy from memory 40. There may be instances whendownloading from a line card is quicker than downloading from centralprocessor 12. Through software load records and the tables inconfiguration database 42, applications are downloaded and executedwithout the need for the system services, including the SRM, or anyother software in the kernel to have information as to how theapplications should be configured. The control shims (e.g.,atm_cntrl.exe 135) interpret the next layer of the application (e.g.,ATM) configuration.

For each application that needs to be spawned, for example, an ATMapplication and a SONET application, the NMS creates an applicationgroup table. Referring to FIG. 12, ATM group table 108 indicates thatfour instances of ATM (i.e., group number 1, 2, 3, 4)—corresponding tofour enabled ports 44 a-44 n—are to be started on line card 16 a (LID30). If other instances of ATM are started on other line cards, theywould also be listed in ATM group table 108 but associated with theappropriate line card LID. ATM group table 108 may also includeadditional information needed to execute ATM applications on eachparticular line card. (See description of software backup below.)

In the above example, one instance of ATM was started for each port onthe line card. This provides resiliency and fault isolation should oneinstance of ATM fail or should one port suffer a failure. An even moreresilient scheme would include multiple instances of ATM for each port.For example, one instance of ATM may be started for each path receivedby a port.

The application controllers on each board now need to know how manyinstances of the corresponding application they need to spawn. Thisinformation is in the application group table in the configurationdatabase. Through the active query feature, the configuration databasenotifies the application controller of records associated with theboard's LID from corresponding application group tables. In thecontinuing example, configuration database 42 sends ATM controller 136records from ATM group table 108 that correspond to LID 30 (line card 16a). With these records, ATM controller 136 learns that there are fourATM groups associated with LID 30 meaning ATM must be instantiated fourtimes on line card 16 a. ATM controller 136 asks slave SRM 37 b todownload and execute four instances (ATM 110-113, FIG. 15) of atm.exe138.

Once spawned, each instantiation of ATM 110-113 sends an active databasequery to search ATM interface table 114 for its corresponding groupnumber and to retrieve associated records. The data in the recordsindicates how many ATM interfaces each instantiation of ATM needs tospawn. Alternatively, a master ATM application (not shown) running oncentral processor 12 may perform active queries of the configurationdatabase and pass information to each slave ATM application running onthe various line cards regarding the number of ATM interfaces each slaveATM application needs to spawn.

Referring to FIGS. 13 and 15, for each instance of ATM 110-113 there maybe one or more ATM interfaces. To configure these ATM interfaces, theNMS creates an ATM interface table 114. There may be one ATM interface115-122 per path/service endpoint or multiple virtual ATM interfaces123-125 per path. This flexibility is left up to the user and NMS, andthe ATM interface table allows the NMS to communicate this configurationinformation to each instance of each application running on thedifferent line cards. For example, ATM interface table 114 indicatesthat for ATM group 1, service endpoint 1, there are three virtual ATMinterfaces (ATM-IF 1-3) and for ATM group 2, there is one ATM interfacefor each service endpoint: ATM-IF 4 and SE 2; ATM-IF 5 and SE 3; andATM-IF 6 and SE 4.

Computer system 10 is now ready to operate as a network switch usingline card 16 a and ports 44 a-44 d. The user will likely provide the NMSwith further instructions to configure more of computer system 10. Forexample, instances of other software applications, such as an IPapplication, and additional instances of ATM may be spawned (asdescribed above) on line cards 16 a or other boards in computer system10.

As shown above, all application dependent data resides in memory 40 andnot in kernel software. Consequently, changes may be made toapplications and configuration data in memory 40 to allow hot (whilecomputer system 10 is running) upgrades of software and hardware andconfiguration changes. Although the above described power-up andconfiguration of computer system 10 is complex, it provides massiveflexibility as described in more detail below.

Inter-Process Communication:

As described above, the operating system assigns a unique processidentification number (proc_id) to each spawned process. Each processhas a name, and each process knows the names of other processes withwhich it needs to communicate. The operating system keeps a list ofprocess names and the assigned process identification numbers. Processessend messages to other processes using the assigned processidentification numbers without regard to what board is executing eachprocess (i.e., process location). Application Programming Interfaces(APIs) define the format and type of information included in themessages.

The modular software architecture configuration model requires a singlesoftware process to support multiple configurable objects. For example,as described above, an ATM application may support configurationsrequiring multiple ATM interfaces and thousands of permanent virtualconnections per ATM interface. The number of processes and configurableobjects in a modular software architecture can quickly grow especiallyin a distributed processing system. If the operating system assigns anew process for each configurable object, the operating system'scapabilities may be quickly exceeded. For example, the operating systemmay be unable to assign a process for each ATM interface, each serviceendpoint, each permanent virtual circuit, etc. In some instances, theprocess identification numbering scheme itself may not be large enough.Where protected memory is supported, the system may have insufficientmemory to assign each process and configurable object a separate memoryblock. In addition, supporting a large number of independent processesmay reduce the operating system's efficiency and slow the operation ofthe entire computer system.

One alternative is to assign a unique process identification number toonly certain high level processes. Referring to FIG. 16a, for example,process identification numbers may only be assigned to each ATM process(e.g., ATMs 240, 241) and not to each ATM interface (e.g., ATM IFs242-247) and process identification numbers may only be assigned to eachport device driver (e.g., device drivers 248, 250, 252) and not to eachservice endpoint (e.g., SE 253-261). A disadvantage to this approach isthat objects within one high level process will likely need tocommunicate with objects within other high level processes. For example,ATM interface 242 within ATM 240 may need to communicate with SE 253within device driver 248. ATM IF 242 needs to know if SE 253 is activeand perhaps certain other information about SE 253. Since SE 253 was notassigned a process identification number, however, neither ATM 240 norATM IF 242 knows if it exists. Similarly, ATM IF 242 knows it needs tocommunicate with SE 253 but does not know that device driver 248controls SE 253.

One possible solution is to hard code the name of device driver 248 intoATM 240. ATM 240 then knows it must communicate with device driver 248to learn about the existence of any service endpoints within devicedriver 248 that may be needed by ATM IF 242, 243 or 244. Unfortunately,this can lead to scalability issues. For instance, each instantiation ofATM (e.g., ATM 240, 241) needs to know the name of all device drivers(e.g., device drivers 248, 250, 252) and must query each device driverto locate each needed service endpoint. An ATM query to a device driverthat does not include a necessary service endpoint is a waste of timeand resources. In addition, each high level process must periodicallypoll other high level processes to determine whether objects within themare still active (i.e., not terminated) and whether new objects havebeen started. If the object status has not changed between polls, thenthe poll wasted resources. If the status did change, then communicationshave been stalled for the length of time between polls. In addition, ifa new device driver is added (e.g., device driver 262), then ATM 240 and241 cannot communicate with it or any of the service endpoints within ituntil they have been upgraded to include the new device driver's name.

Preferably, computer system 10 implements a name server process and aflexible naming procedure. The name server process allows high levelprocesses to register information about the objects within them and tosubscribe for information about the objects with which they need tocommunicate. The flexible naming procedure is used instead of hardcoding names in processes. Each process, for example, applications anddevice drivers, use tables in the configuration database to derive thenames of other configurable objects with which they need to communicate.For example, both an ATM application and a device driver process may usean assigned service endpoint number from the service endpoint table(SET) to derive the name of the service endpoint that is registered bythe device driver and subscribed for by the ATM application. Since theservice endpoint numbers are assigned by the NMS during configuration,stored in SET 76 and passed to local SEMs, they will not be changed ifdevice drivers or applications are upgraded or restarted.

Referring to FIG. 16b, for example, when device drivers 248, 250 and 252are started they each register with name server (NS) 264. Each devicedriver provides a name, a process identification number and the name ofeach of its service endpoints. Each device driver also updates the nameserver as service endpoints are started, terminated or restarted.Similarly, each instantiation of ATM 240, 241 subscribes with nameserver 264 and provides its name, process identification number and thename of each of the service endpoints in which it is interested. Thename server then notifies ATM 240 and 241 as to the processidentification of the device driver with which they should communicateto reach a desired service endpoint. The name server updates ATM 240 and241 in accordance with updates from the device drivers. As a result,updates are provided only when necessary (i.e., no wasted resources),and the computer system is highly scalable. For example, if a new devicedriver 262 is started, it simply registers with name server 264, andname server 264 notifies either ATM 240 or 241 if a service endpoint inwhich they are interested is within the new device driver. The same istrue if a new instantiation of ATM—perhaps an upgraded version—isstarted or if either an ATM application or a device driver fails and isrestarted.

Referring to FIG. 16c, when the SEM, for example, SEM 96 a, notifies adevice driver, for example, device driver (DD) 222, of its assigned SEnumber, DD 222 uses the SE number to generate a device driver name. Inthe continuing example from above, where the ATM over SONET protocol isto be delivered to port 44 a and DD 222, the device driver name may befor example, atm.sel. DD 222 publishes this name to NS 220 b along withthe process identification assigned by the operating system and the nameof its service endpoints.

Applications, for example, ATM 224, also use SE numbers to generate thenames of device drivers with which they need to communicate andsubscribe to NS 220 b for those device driver names, for example,atm.sel. If the device driver has published its name and processidentification with NS 220 b, then NS 220 b notifies ATM 224 of theprocess identification number associated with atm.sel and the name ofits service endpoints. ATM 224 can then use the process identificationto communicate with DD 222 and, hence, any objects within DD 222. Ifdevice driver 222 is restarted or upgraded, SEM 96 a will again notifyDD 222 that its associated service endpoint is SE 1 which will cause DD222 to generate the same name of atm.sel. DD 222 will then re-publishwith NS 220 b and include the newly assigned process identificationnumber. NS 220 b will provide the new process identification number toATM 224 to allow the processes to continue to communicate. Similarly, ifATM 224 is restarted or upgraded, it will use the service endpointnumbers from ATM interface table 114 and, as a result, derive the samename of atm.sel for DD 222. ATM 224 will then re-subscribe with NS 220b. Computer system 10 includes a distributed name server (NS)application including a name server process 220 a-220 n on each board(central processor and line card). Each name server process handles theregistration and subscription for the processes on its correspondingboard. For distributed applications, after each application (e.g., ATM224 a-224 n) registers with its local name server (e.g., 220 b-220 n),the name server registers the application with each of the other nameservers. In this way, only distributed applications areregistered/subscribed system wide which avoids wasting system resourcesby registering local processes system wide.

The operating system, through the use of assigned process identificationnumbers, allows for inter-process communication (IPC) regardless of thelocation of the processes within the computer system. The flexiblenaming process allows applications to use data in the configurationdatabase to determine the names of other applications and configurableobjects, thus, alleviating the need for hard coded process names. Thename server notifies individual processes of the existence of theprocesses and objects with which they need to communicate and theprocess identification numbers needed for that communication. Thetermination, re-start or upgrade of an object or process is, therefore,transparent to other processes, with the exception of being notified ofnew process identification numbers. For example, due to a configurationchange initiated by the user of the computer system, service endpoint253 (FIG. 16b), may be terminated within device driver 248 and startedinstead within device driver 250. This movement of the location ofobject 253 is transparent to both ATM 240 and 241. Name server 264simply notifies whichever processes have subscribed for SE 253 of thenewly assigned process identification number corresponding to devicedriver 250.

The name server or a separate binding object manager (BOM) process mayallow processes and configurable objects to pass additional informationadding further flexibility to inter-process communications. For example,flexibility may be added to the application programming interfaces(APIs) used between processes. As discussed above, once a process isgiven a process identification number by the name server correspondingto an object with which it needs to communicate, the process can thensend messages to the other process in accordance with a predefinedapplication programming interface (API). Instead of having a predefinedAPI, the API could have variables defined by data passed through thename server or BOM, and instead of having a single API, multiple APIsmay be available and the selection of the API may be dependent uponinformation passed by the name server or BOM to the subscribedapplication.

Referring to FIG. 16d, a typical API will have a predefined messageformat 270 including, for example, a message type 272 and a value 274 ofa fixed number of bits (e.g., 32). Processes that use this API must usethe predefined message format. If a process is upgraded, it will beforced to use the same message format or change the API/message formatwhich would require that all processes that use this API also besimilarly upgraded to use the new API. Instead, the message format canbe made more flexible by passing information through the name server orBOM. For example, instead of having the value field 274 be a fixednumber of bits, when an application registers a name and processidentification number it may also register the number of bits it planson using for the value field (or any other field). Perhaps a zeroindicates a value field of 32 bits and a one indicates a value filed of64 bits. Thus, both processes know the message format but someflexibility has been added.

In addition to adding flexibility to the size of fields in a messageformat, flexibility may be added to the overall message format includingthe type of fields included in the message. When a process registers itsname and process identification number, it may also register a versionnumber indicating which API version should be used by other processeswishing to communicate with it. For example, device driver 250 (FIG.16b) may register SE 258 with NS 264 and provide the name of SE 258,device driver 250's process identification number and a version numberone, and device driver 252 may register SE 261 with NS 264 and providethe name of SE 261, device driver 252's process identification numberand a version number (e.g., vertion number two). If ATM 240 hassubscribed for either SE 258 or SE 261, then NS 264 notifies ATM 240that SE 258 and SE 261 exist and provides the process identificationnumbers and version numbers. The version number tells ATM 240 whatmessage format and information SE 258 and SE 261 expect. The differentmessage formats for each version may be hard coded into ATM 240 or ATM240 may access system memory or the configuration database for themessage formats corresponding to service endpoint version one andversion two. As a result, the same application may communicate withdifferent versions of the same configurable object using a differentAPI.

This also allows an application, for example, ATM, to be upgraded tosupport new configurable objects, for example, new ATM interfaces, whilestill being backward compatible by supporting older configurableobjects, for example, old ATM interfaces. Backward compatibility hasbeen provided in the past through revision numbers, however, initialcommunication between processes involved polling to determine versionnumbers and where multiple applications need to communicate, each wouldneed to poll the other. The name server/BOM eliminates the need forpolling.

As described above, the name server notifies subscriber applicationseach time a subscribed for process is terminated. Instead, the nameserver/BOM may not send such a notification unless the System ResiliencyManager (SRM) tells the name server/BOM to send such a notification. Forexample, depending upon the fault policy/resiliency of the system, aparticular software fault may simply require that a process berestarted. In such a situation, the name server/BOM may not notifysubscriber applications of the termination of the failed process andinstead simply notify the subscriber applications of the newly assignedprocess identification number after the failed process has beenrestarted. Data that is sent by the subscriber processes after thetermination of the failed process and prior to the notification of thenew process identification number may be lost but the recovery of thisdata (if any) may be less problematic than notifying the subscriberprocesses of the failure and having them hold all transmissions. Forother faults, or after a particular software fault occurs apredetermined number of times, the SRM may then require the nameserver/BOM to notify all subscriber processes of the termination of thefailed process. Alternatively, if a terminated process does notreregister within a predetermined amount of time, the name server/BOMmay then notify all subscriber processes of the termination of thefailed process.

Configuration Change:

Over time the user will likely make hardware changes to the computersystem that require configuration changes. For example, the user mayplug a fiber or cable (i.e., network connection) into an as yet unusedport, in which case, the port must be enabled and, if not alreadyenabled, then the port's line card must also be enabled. As otherexamples, the user may add another path to an already enabled port thatwas not fully utilized, and the user may add another line card to thecomputer system. Many types of configuration changes are possible, andthe modular software architecture allows them to be made while thecomputer system is running (hot changes). Configuration changes may beautomatically copied to persistent storage as they are made so that ifthe computer system is shut down and rebooted, the memory andconfiguration database will reflect the last known state of thehardware.

To make a configuration change, the user informs the NMS of theparticular change, and similar to the process for initial configuration,the NMS changes the appropriate tables in the configuration database(copied to the NMS database) to implement the change.

Referring to FIG. 17, in one example of a configuration change, the usernotifies the NMS that an additional path will be carried by SONET fiber70 c connected to port 44 c. A new service endpoint (SE) 164 and a newATM interface 166 are needed to handle the new path. The NMS adds a newrecord (row 168, FIG. 10) to service endpoint table (SET) 76 to includeservice endpoint 10 corresponding to port physical identification number(PID) 1502 (port 44 c). The NMS also adds a new record (row 170, FIG.13) to ATM instance table 114 to include ATM interface (IF) 12corresponding to ATM group 3 and SE 10. Configuration database 42 mayautomatically copy the changes made to SET 76 and ATM instance table 114to persistent storage 21 such that if the computer system is shut downand rebooted, the changes to the configuration database will bemaintained.

Configuration database 42 also notifies (through the active queryprocess) SEM 96 c that a new service endpoint (SE 10) was added to theSET corresponding to its port (PID 1502), and configuration database 42also notifies ATM instantiation 112 that a new ATM interface (ATM-IF166) was added to the ATM interface table corresponding to ATM group 3.ATM 112 establishes ATM interface 166 and SEM 96 c notifies port driver142 that it has been assigned SE10. A communication link is establishedthrough NS 220 b. Device driver 142 generates a service endpoint nameusing the assigned SE number and publishes this name and its processidentification number with NS 220 b. ATM interface 166 generates thesame service endpoint name and subscribes to NS 220 b for that serviceendpoint name. NS 220 b provides ATM interface 166 with the processidentification assigned to DD 142 allowing ATM interface 166 tocommunicate with device driver 142.

Certain board changes to computer system 10 are also configurationchanges. After power-up and configuration, a user may plug another boardinto an empty computer system slot or remove an enabled board andreplace it with a different board. In the case where applications anddrivers for a line card added to computer system 10 are already loaded,the configuration change is similar to initial configuration. Theadditional line card may be identical to an already enabled line card,for example, line card 16 a or if the additional line card requiresdifferent drivers (for different components) or different applications(e.g., IP), the different drivers and applications are already loadedbecause computer system 10 expects such cards to be inserted.

Referring to FIG. 18, while computer system 10 is running, when anotherline card 168 is inserted, master MCD 38 detects the insertion andcommunicates with a diagnostic program 170 being executed by the linecard's processor 172 to learn the card's type and version number. MCD 38uses the information it retrieves to update card table 47 and port table49. MCD 38 then searches physical module description (PMD) file 48 inmemory 40 for a record that matches the retrieved card type and versionnumber and retrieves the name of the mission kernel image executablefile (MKI.exe) that needs to be loaded on line card 168. Oncedetermined, master MCD 38 passes the name of the MKI executable file tomaster SRM 36. SRM 36 downloads MKI executable file 174 from persistentstorage 21 and passes it to a slave SRM 176 running on line card 168.The slave SRM executes the received MKI executable file.

Referring to FIG. 19, slave MCD 178 then searches PMD file 48 in memory40 on central processor 12 for a match with its line card's type andversion number to find the names of all the device driver executablefiles associated needed by its line card. Slave MCD 178 provides thesenames to slave SRM 176 which then downloads and executes the devicedriver executable files (DD.exe) 180 from memory 40.

When master MCD 38 updates card table 47, configuration database 42updated NMS database 61 which sends NMS 60 a notification of the changeincluding card type and version number, the slot number into which thecard was inserted and the physical identification (PID) assigned to thecard by the master MCD. The NMS is updated, assigns an LID and updatesthe logical to physical table and notifies the user of the new hardware.The user then tells the NMS how to configure the new hardware, and theNMS implements the configuration change as described above for initialconfiguration.

Logical Model Change:

Where applications and device drivers for a new line card are notalready loaded and where changes or upgrades to already loadedapplications and device drivers are needed, logical model 280 (FIGS.2-3) must be changed and new view ids and APIs and new DDL files must bere-generated. Software model 286 is changed to include models of the newor upgraded software, and hardware model 284 is changed to includemodels of any new hardware. New logical model 280′ is then used by codegenerator 336 to re-generate view ids and APIs for each application,including any new applications, for example, ATM version two 360, ordevice drivers, for example, device driver 362, and to regenerate DDLfiles 344′ and 348′ including new SQL commands and data relevant to thenew hardware and/or software. Each application, including any newapplications or drivers, is then pulled into the build process and linksin a corresponding view id and API. The new applications and/or devicedrivers and the new DDL files as well as any new hardware are then sentto the user of computer system 10.

New and upgraded applications and device drivers are being used by wayof an example, and it should be understood that other processes, forexample, modular system services and new Mission Kernel Images (MKIs),may be changed or upgraded in the same fashion.

Referring to FIG. 20, the user instructs the NMS to download the newapplications and/or device drivers, for example, ATM version two 360 anddevice driver 362, as well as the new DDL files, for example, DDL files344′ and 348′, into memory on work station 62. The NMS uses new NMSdatabase DDL file 348′ to upgrade NMS database 61 into new NMS database61′. Alternatively, a new NMS database may be created using DDL file348′ and both databases temporarily maintained.

Application Upgrade:

For new applications and application upgrades, the NMS works with asoftware management system (SMS) service to implement the change whilethe computer system is running (hot upgrades or additions). The SMS isone of the modular system services, and like the MCD and the SRM, theSMS is a distributed application. Referring to FIG. 20, a master SMS 184is executed by central processor 12 while slave SMSs 186 a-186 n areexecuted on each board.

Upgrading a distributed application that is running on multiple boardsis more complicated than upgrading an application running on only oneboard. As an example of a distributed application upgrade, the user maywant to upgrade all ATM applications running on various boards in thesystem using new ATM version two 360. This is by way of example, and itshould be understood, that only one ATM application may be upgraded solong as it is compatible with the other versions of ATM running on otherboards. ATM version two 360 may include many sub-processes, for example,an upgraded ATM application executable file (ATMv2.exe 189), an upgradedATM control executable file (ATMv2_cntrl.exe 190) and an ATMconfiguration control file (ATMv2_cnfg_cntrl.exe). The NMS downloadsATMv2.exe 189, ATMv2_cntrl.exe and ATMv2_cnfg cntrl.exe to memory 40 oncentral processor 12.

The NMS then writes a new record into SMS table 192 indicating the scopeof the configuration update. The scope of an upgrade may be indicated ina variety of ways. In one embodiment, the SMS table includes a field forthe name of the application to be changed and other fields indicatingthe changes to be made. In another embodiment, the SMS table includes arevision number field 194 (FIG. 21) through which the NMS can indicatethe scope of the change. Referring to FIG. 21, the right most positionin the revision number may indicate, for example, the simplestconfiguration update (e.g., a bug fix), in this case, termed a “serviceupdate level” 196. Any software revisions that differ by only theservice update level can be directly applied without making changes inthe configuration database or API changes between the new and currentrevision. The next position may indicate a slightly more complex update,in this case, termed a “subsystem compatibility level” 198. Thesechanges include changes to the configuration database and/or an API. Thenext position may indicate a “minor revision level” 200 updateindicating more comprehensive changes in both the configuration databaseand one or more APIs. The last position may indicate a “major revisionlevel” 202 update indicative of wholesale changes in multiple areas andmay require a reboot of the computer system to implement. For a majorrevision level change, the NMS will download a complete image includinga kernel image.

During initial configuration, the SMS establishes an active query on SMStable 192. Consequently, when the NMS changes the SMS table, theconfiguration database sends a notification to master SMS 184 includingthe change. In some instances, the change to an application may requirechanges to configuration database 42. The SMS determines the need forconfiguration conversion based on the scope of the release or update. Ifthe configuration database needs to be changed, then the software, forexample, ATM version two 360, provided by the user and downloaded by theNMS also includes a configuration control executable file, for example,ATMv2_cnfig_cntrl.exe 191, and the name of this file will be in the SMStable record. The master SMS then directs slave SRM 37 a on centralprocessor 12 to execute the configuration control file which uses DDLfile 344′ to upgrade old configuration database 42 into newconfiguration database 42′ by creating new tables, for example, ATMgroup table 108′ and ATM interface table 114′. Existing processes usingtheir view ids and APIs to access new configuration database 42′ in thesame manner as they accessed old configuration database 42. However,when new processes (e.g., ATM version two 360 and device driver 362)access new configuration database 42′, their view ids and APIs allowthem to access new tables and data within new configuration database42′.

The master SMS also reads ATM group table 108′ to determine thatinstances of ATM are being executed on line cards 16 a-16 n. In order toupgrade a distributed application, in this instance, ATM, the Master SMSwill use a lock step procedure. Master SMS 184 tells each slave SMS 186b-186 n to stall the current versions of ATM. When each slave responds,Master SMS 184 then tells slave SMSs 186 b-186 n to download and executeATMv2_cntrl.exe 190 from memory 40. Upon instructions from the slaveSMSs, slave SRMs 37 b-37 n download and execute copies ofATMv2_cntrl.exe 204 a-204 n. The slave SMSs also pass data to theATMv2cntrl.exe file through the SRM. The data instructs the control shimto start in upgrade mode and passes required configuration information.The upgraded ATMv2 controllers 204 a-204 n then use ATM group table 108′and ATM interface table 114′ as described above to implement ATMv2 206a-206 n on each of the line cards. In this example, each ATM controlleris shown implementing one instance of ATM on each line card, but asexplained below, the ATM controller may implement multiple instances ofATM on each line card.

As part of the upgrade mode, the updated versions of ATMv2 206 a-206 nretrieve active state from the current versions of ATM 188 a-188 n. Theretrieval of active state can be accomplished in the same manner that aredundant or backup instantiation of ATM retrieves active state from theprimary instantiation of ATM. When the upgraded instances of ATMv2 areexecuting and updated with active state, the ATMv2 controllers notifythe slave SMSs 186 b-186 n on their board and each slave SMS 186 b-186 nnotifies master SMS 184. When all boards have notified the master SMS,the master SMS tells the slave SMSs to switchover to ATMv2 206 a-206 n.The slave SMSs tell the slave SRMs running on their board, and the slaveSRMs transition the new ATMv2 processes to the primary role. This istermed “lock step upgrade” because each of the line cards is switchedover to the new ATMv2 processes simultaneously.

There may be upgrades that require changes to multiple applications andto the APIs for those applications. For example, a new feature may beadded to ATM that also requires additional functionality to be added tothe Multi-Protocol Label Switching (MPLS) application. The additionallyfunctionality may change the peer-to-peer API for ATM, the peer-to-peerAPI for MPLS and the API between ATM and MPLS. In this scenario, theupgrade operation must avoid allowing the “new” version of ATM tocommunicate with itself or the “old” version of MPLS and vice versa. Themaster SMS will use the release number scheme to determine therequirements for the individual upgrade. For example, the upgrade may befrom release 1.0.0.0 to 1.0.1.3 where the release differs by thesubsystem compatibility level. The SMS implements the upgrade in a lockstep fashion. All instances of ATM and MPLS are upgraded first. Theslave SMS on each line card then directs the slave SRM on its board toterminate all “old” instances of ATM and MPLS and switchover to the newinstances of MPLS and ATM. The simultaneous switchover to new versionsof both MPLS and ATM eliminate any API compatibility errors.

Referring to FIG. 22, instead of directly upgrading configurationdatabase 42 on central processor 12, a backup configuration database 420on a backup central processor 13 may be upgraded first. As describedabove, computer system 10 includes central processor 12. Computer system10 may also include a redundant or backup central processor 13 thatmirrors or replicates the active state of central processor 12. Backupcentral processor 13 is generally in stand-by mode unless centralprocessor 12 fails at which point a fail-over to backup centralprocessor 13 is initiated to allow the backup central processor to besubstituted for central processor 12. In addition to failures, backupcentral processor 13 may be used for software and hardware upgrades thatrequire changes to the configuration database. Through backup centralprocessor 13, upgrades can be made to backup configuration database 420instead of to configuration database 42.

The upgrade is begun as discussed above with the NMS downloading ATMversion two 360—including ATMv2.exe 189, ATMv2_cntrl.exe andATMv2_cnfg_cntrl.exe—and DDL file 344′ to memory on central processor12. Simultaneously, because central processor 13 is in backup mode, theapplication and DDL file are also copied to memory on central processor13. The NMS also creates a software load record in SMS table 192, 192′indicating the upgrade. In this embodiment, when the SMS determines thatthe scope of the upgrade requires an upgrade to the configurationdatabase, the master SMS instructs slave SMS 186 e on central processor13 to perform the upgrade. Slave SMS 186 e works with slave SRM 37 e tocause backup processor 13 to change from backup mode to upgrade mode.

In upgrade mode, backup processor 13 stops replicating the active stateof central processor 12. Any changes made to new configuration database420 are copied to new NMS database 61′. Slave SMS 186 e then directsslave SRM 37 e to execute the configuration control file which uses DDLfile 344′ to upgrade configuration database 420.

Once configuration database 420 is upgraded, a fail-over or switch-overfrom central processor 12 to backup central processor 13 is initiated.Central processor 13 then begins acting as the primary central processorand applications running on central processor 13 and other boardsthroughout computer system 10 begin using upgraded configurationdatabase 420.

Central processor 12 may not become the backup central processor rightaway. Instead, central processor 12 with its older copy of configurationdatabase 42 stays dormant in case an automatic downgrade is necessary(described below). If the upgrade goes smoothly and is committed(described below), then central processor 12 will begin operating inbackup mode and replace old configuration database 42 with newconfiguration database 420.

Device Driver Upgrade:

Device driver software may also be upgraded and the implementation ofdevice driver upgrades is similar to the implementation of applicationupgrades. The user informs the NMS of the device driver change andprovides a copy of the new software (e.g., DD{circumflex over ( )}.exe362, FIGS. 20 and 23). The NMS downloads the new device driver to memory40 on central processor 12, and the NMS writes a new record in SMS table192 indicating the device driver upgrade. Configuration database 42sends a notification to master SMS 184 including the name of the driverto be upgraded. To determine where the original device driver iscurrently running in computer system 10, the master SMS searches PMDfile 48 for a match of the device driver name (existing device driver,not upgraded device driver) to learn with which module type and versionnumber the device driver is associated. The device driver may be runningon one or more boards in computer system 10. As described above, the PMDfile corresponds the module type and version number of a board with themission kernel image for that board as well as the device drivers forthat board. The SMS then searches card table 47 for a match with themodule type and version number found in the PMD file. Card table 47includes records corresponding module type and version number with thephysical identification (PID) and slot number of that board. The masterSMS now knows the board or boards within computer system 10 on which toload the upgraded device driver. If the device driver is for aparticular port, then the SMS must also search the port table to learnthe PID for that port.

The master SMS notifies each slave SMS running on boards to be upgradedof the name of the device driver executable file to download andexecute. In the example, master SMS 184 sends slave SMS 186 f the nameof the upgraded device driver (DD{circumflex over ( )}.exe 362) todownload. Slave SMS 186 f tells slave SRM to download and executeDD{circumflex over ( )}.exe 362 in upgrade mode. Once downloaded,DD{circumflex over ( )}.exe 363 (copy of DD{circumflex over ( )}.exe362) gathers active state information from the currently running DD.exe212 in a similar fashion as a redundant or backup device driver wouldgather active state. DD{circumflex over ( )}.exe 362 then notifies slaveSRM 37 f that active state has been gathered, and slave SRM 37 f stopsthe current DD.exe 212 process and transitions the upgradedDD{circumflex over ( )}.exe 362 process to the primary role.

Automatic Downgrade:

Often, implementation of an upgrade, can cause unexpected errors in theupgraded software, in other applications or in hardware. As describedabove, a new configuration database 42′ (FIG. 20) is generated andchanges to the new configuration database are made in new tables (e.g.,ATM interface table 114′ and ATM group table 108′, FIG. 20) and newexecutable files (e.g., ATMv2.exe 189, ATMv2_cntrl.exe 190 andATMv2_cnfg_cntrl.exe 191) are downloaded to memory 40. Importantly, theold configuration database records and the original application filesare not deleted or altered. In the embodiment where changes are madedirectly to configuration database 42 on central processor 12, they aremade only in non-persistent memory until committed (described below). Inthe embodiment where changes are made to backup configuration database420 on backup central processor 13, original configuration database 42remains unchanged.

Because the operating system provides a protected memory model thatassigns different process blocks to different processes, includingupgraded applications, the original applications will not share memoryspace with the upgraded applications and, therefore, cannot corrupt orchange the memory used by the original application. Similarly, memory 40is capable of simultaneously maintaining the original and upgradedversions of the configuration database records and executable files aswell as the original and upgraded versions of the applications (e.g.,ATM 188 a-188 n). As a result, the SMS is capable of an automaticdowngrade on the detection of an error. To allow for automaticdowngrade, the SRMs pass error information to the SMS. The SMS may causethe system to revert to the old configuration and application (i.e.,automatic downgrade) on any error or only for particular errors.

As mentioned, often upgrades to one application may cause unexpectedfaults or errors in other software. If the problem causes a system shutdown and the configuration upgrade was stored in persistent storage,then the system, when powered back up, will experience the error againand shut down again. Since, the upgrade changes to the configurationdatabase are not copied to persistent storage 21 until the upgrade iscommitted, if the computer system is shut down, when it is powered backup, it will use the original version of the configuration database andthe original executable files, that is, the computer system willexperience an automatic downgrade.

Additionally, a fault induced by an upgrade may cause the system tohang, that is, the computer system will not shut down but will alsobecome inaccessible by the NMS and inoperable. To address this concern,in one embodiment, the NMS and the master SMS periodically send messagesto each other indicating they are executing appropriately. If the SMSdoes not receive one of these messages in a predetermined period oftime, then the SMS knows the system has hung. The master SMS may thentell the slave SMSs to revert to the old configuration (i.e., previouslyexecuting copies of ATM 188 a-188 n) and if that does not work, themaster SMS may re-start/re-boot computer system 10. Again, because theconfiguration changes were not saved in persistent storage, when thecomputer system powers back up, the old configuration will be the oneimplemented.

Evaluation Mode:

Instead of implementing a change to a distributed application across theentire computer system, an evaluation mode allows the SMS to implementthe change in only a portion of the computer system. If the evaluationmode is successful, then the SMS may fully implement the change systemwide. If the evaluation mode is unsuccessful, then service interruptionis limited to only that portion of the computer system on which theupgrade was deployed. In the above example, instead of executing theupgraded ATMv2 189 on each of the line cards, the ATMv2 configurationconvert file 191 will create an ATMv2 group table 108′ indicating anupgrade only to one line card, for example, line card 16 a. Moreover, ifmultiple instantiations of ATM are running on line card 16 a (e.g., oneinstantiation per port), the ATMv2 configuration convert file mayindicate through ATMv2 interface table 114′ that the upgrade is for onlyone instantiation (e.g., one port) on line card 16 a. Consequently, afailure is likely to only disrupt service on that one port, and again,the SMS can further minimize the disruption by automatically downgradingthe configuration of that port on the detection of an error. If no erroris detected during the evaluation mode, then the upgrade can beimplemented over the entire computer system.

Upgrade Commitment:

Upgrades are made permanent by saving the new application software andnew configuration database and DDL file in persistent storage andremoving the old configuration data from memory 40 as well as persistentstorage. As mentioned above, changes may be automatically saved inpersistent storage as they are made in non-persistent memory (noautomatic downgrade), or the user may choose to automatically commit anupgrade after a successful time interval lapses (evaluation mode). Thetime interval from upgrade to commitment may be significant. During thistime, configuration changes may be made to the system. Since thesechanges are typically made in non-persistent memory, they will be lostif the system is rebooted prior to upgrade commitment. Instead, tomaintain the changes, the user may request that certain configurationchanges made prior to upgrade commitment be copied into the oldconfiguration database in persistent memory. Alternatively, the user maychoose to manually commit the upgrade at his or her leisure. In themanual mode, the user would ask the NMS to commit the upgrade and theNMS would inform the master SMS, for example, through a record in theSMS table.

Independent Process Failure and Restart:

Depending upon the fault policy managed by the slave SRMs on each board,the failure of an application or device driver may not immediately causean automatic downgrade during an upgrade process. Similarly, the failureof an application or device driver during normal operation may notimmediately cause the fail over to a backup or redundant board. Instead,the slave SRM running on the board may simply restart the failingprocess. After multiple failures by the same process, the fault policymay cause the SRM to take more aggressive measures such as automaticdowngrade or fail-over.

Referring to FIG. 24, if an application, for example, ATM application230 fails, the slave SRM on the same board as ATM 230 may simply restartit without having to reboot the entire system. As described above, underthe protected memory model, a failing process cannot corrupt the memoryblocks used by other processes. Typically, an application and itscorresponding device drivers would be part of the same memory block oreven part of the same software program, such that if the applicationfailed, both the application and device drivers would need to berestarted. Under the modular software architecture, however,applications, for example ATM application 230, are independent of thedevice drivers, for example, ATM driver 232 and Device Drivers (DD) 234a-234 c. This separation of the data plane (device drivers) and controlplane (applications) results in the device drivers being peers of theapplications. Hence, while the ATM application is terminated andrestarted, the device drivers continue to function.

For network devices, this separation of the control plane and data planemeans that the connections previously established by the ATM applicationare not lost when ATM fails and hardware controlled by the devicedrivers continue to pass data through connections previously establishedby the ATM application. Until the ATM application is restarted andre-synchronized (e.g., through an audit process, described below) withthe active state of the device drivers, no new network connections maybe established but the device drivers continue to pass data through thepreviously established connections to allow the network device tominimize disruption and maintain high availability.

Local Backup:

If a device driver, for example, device driver 234, fails instead of anapplication, for example, ATM 230, then data cannot be passed. For anetwork device, it is critical to continue to pass data and not losenetwork connections. Hence, the failed device driver must be broughtback up (i.e., recovered) as soon as possible. In addition, the failingdevice driver may have corrupted the hardware it controls, therefore,that hardware must be reset and reinitialized. The hardware may be resetas soon as the device driver terminates or the hardware may be resetlater when the device driver is restarted. Resetting the hardware stopsdata flow. In some instances, therefore, resetting the hardware will bedelayed until the device driver is restarted to minimize the time periodduring which data is not flowing. Alternatively, the failing devicedriver may have corrupted the hardware, thus, resetting the hardware assoon as the device driver is terminated may be important to prevent datacorruption. In either case, the device driver re-initializes thehardware during its recovery.

Again, because applications and device drivers are assigned independentmemory blocks, a failed device driver can be restarted without having torestart associated applications and device drivers. Independent recoverymay save significant time as described above for applications. Inaddition, restoring the data plane (i.e., device drivers) can be simplerand faster than restoring the control plane (i.e., applications). Whileit may be just as challenging in terms of raw data size, device driverrecovery may simply require that critical state data be copied intoplace in a few large blocks, as opposed to application recovery whichrequires the successive application of individual configuration elementsand considerable parsing, checking and analyzing. In addition, theapplication may require data stored in the configuration database on thecentral processor or data stored in the memory of other boards. Theconfiguration database may be slow to access especially since many otherapplications also access this database. The application may also needtime to access a management information base (MIB) interface.

To increase the speed with which a device driver is brought back up, therestarted device driver program accesses local backup 236. In oneexample, local backup is a simple storage/retrieval process thatmaintains the data in simple lists in physical memory (e.g., randomaccess memory, RAM) for quick access. Alternatively, local backup may bea database process, for example, a Polyhedra database, similar to theconfiguration database.

Local backup 236 stores the last snap shot of critical state informationused by the original device driver before it failed. The data in localbackup 236 is in the format required by the device driver. In the caseof a network device, local back up data may include path information,for example, service endpoint, path width and path location. Local backup data may also include virtual interface information, for example,which virtual interfaces were configured on which paths and virtualcircuit (VC) information, for example, whether each VC is switched orpassed through segmentation and reassembly (SAR), whether each VC is avirtual channel or virtual path and whether each VC is multicast ormerge. The data may also include traffic parameters for each VC, forexample, service class, bandwidth and/or delay requirements.

Using the data in the local backup allows the device driver to quicklyrecover. An Audit process resynchronizes the restarted device driverwith associated applications and other device drivers such that the dataplane can again transfer network data. Having the backup be localreduces recovery time. Alternatively, the backup could be storedremotely on another board but the recovery time would be increased bythe amount of time required to download the information from the remotelocation.

Audit Process:

It is virtually impossible to ensure that a failed process issynchronized with other processes when it restarts, even when backupdata is available. For example, an ATM application may have set up ortorn down a connection with a device driver but the device driver failedbefore it updated corresponding backup data. When the device driver isrestarted, it will have a different list of established connections thanthe corresponding ATM application (i.e., out of synchronization). Theaudit process allows processes like device drivers and ATM applicationsto compare information, for example, connection tables, and resolvedifferences. For instance, connections included in the driver'sconnection table and not in the ATM connection table were likely torndown by ATM prior to the device driver crash and are, therefore, deletedfrom the device driver connection table. Connections that exist in theATM connection table and not in the device driver connection table werelikely set up prior to the device driver failure and may be copied intothe device driver connection table or deleted from the ATM connectiontable and re-set up later. If an ATM application fails and is restarted,it must execute an audit procedure with its corresponding device driveror drivers as well as with other ATM applications since this is adistributed application.

Vertical Fault Isolation:

Typically, a single instance of an application executes on a single cardor in a system. Fault isolation, therefore, occurs at the card level orthe system level, and if a fault occurs, an entire card—and all theports on that card—or the entire system—and all the ports in thesystem—is affected. In a large communications platform, thousands ofcustomers may experience service outages due to a single processfailure.

For resiliency and fault isolation one or more instances of anapplication and/or device driver may be started per port on each linecard. Multiple instances of applications and device drivers are moredifficult to manage and require more processor cycles than a singleinstance of each but if an application or device driver fails, only theport those processes are associated with is affected. Other applicationsand associated ports—as well as the customers serviced by thoseports—will not experience service outages. Similarly, a hardware failureassociated with only one port will only affect the processes associatedwith that port. This is referred to as vertical fault isolation.

Referring to FIG. 25, as one example, line card 16 a is shown to includefour vertical stacks 400, 402, 404, and 406. Vertical stack 400 includesone instance of ATM 110 and one device driver 43 a and is associatedwith port 44 a. Similarly, vertical stacks 402, 404 and 406 include oneinstance of ATM 111, 112, 113 and one device driver 43 b, 43 c, 43 d,respectively and each vertical stack is associated with a separate port44 b, 44 c, 44 d, respectively. If ATM 112 fails, then only verticalstack 404 and its associated port 44 c are affected. Service is notdisrupted on the other ports (ports 44 a, 44 b, 44 d) since verticalstacks 400, 402, and 406 are unaffected and the applications and driverswithin those stacks continue to execute and transmit data. Similarly, ifdevice driver 43 b fails, then only vertical stack 402 and itsassociated port 44 b are affected.

Vertical fault isolation allows processes to be deployed in a fashionsupportive of the underlying hardware architecture and allows processesassociated with particular hardware (e.g., a port) to be isolated fromprocesses associated with other hardware (e.g., other ports) on the sameor a different line card. Any single hardware or software failure willaffect only those customers serviced by the same vertical stack.Vertical fault isolation provides a fine grain of fault isolation andcontainment. In addition, recovery time is reduced to only the timerequired to re-start a particular application or driver instead of thetime required to re-start all the processes associated with a line cardor the entire system.

Fault/Event Detection:

Traditionally, fault detection and monitoring does not receive a greatdeal of attention from network equipment designers. Hardware componentsare subjected to a suite of diagnostic tests when the system powers up.After that, the only way to detect a hardware failure is to watch for ared light on a board or wait for a software component to fail when itattempts to use the faulty hardware. Software monitoring is alsoreactive. When a program fails, the operating system usually detects thefailure and records minimal debug information.

Current methods provide only sporadic coverage for a narrow set of hardfaults. Many subtler failures and events often go undetected. Forexample, hardware components sometimes suffer a minor deterioration infunctionality, and changing network conditions stress the software inways that were never expected by the designers. At times, the softwaremay be equipped with the appropriate instrumentation to detect theseproblems before they become hard failures, but even then, networkoperators are responsible for manually detecting and repairing theconditions.

Systems with high availability goals must adopt a more proactiveapproach to fault and event monitoring. In order to providecomprehensive fault and event detection, different hierarchical levelsof fault/event management software are provided that intelligentlymonitor hardware and software and proactively take action in accordancewith a defined fault policy. A fault policy based on hierarchical scopesensures that for each particular type of failure the most appropriateaction is taken. This is important because overreacting to a failure,for example, re-booting an entire computer system or re-starting anentire line card, may severely and unnecessarily impact service tocustomers not affected by the failure, and under-reacting to failures,for example, restarting only one process, may not completely resolve thefault and lead to additional, larger failures. Monitoring andproactively responding to events may also allow the computer system andnetwork operators to address issues before they become failures. Forexample, additional memory may be assigned to programs or added to thecomputer system before a lack of memory causes a failure.

Hierarchical Scopes and Escalation:

Referring to FIG. 26, in one embodiment, master SRM 36 serves as the tophierarchical level fault/event manager, each slave SRM 37 a-37 n servesas the next hierarchical level fault/event manager, and softwareapplications resident on each board, for example, ATM 110-113 and devicedrivers 43 a-43 d on line card 16 a include sub-processes that serve asthe lowest hierarchical level fault/event managers (i.e., localresiliency managers, LRM). Master SRM 36 downloads default fault policy(DFP) files (metadata) 430 a-430 n from persistent storage to memory 40.Master SRM 36 reads a master default fault policy file (e.g., DFP 430 a)to understand its fault policy, and each slave SRM 37 a-37 n downloads adefault fault policy file (e.g., DFP 430 b-430 n) corresponding to theboard on which the slave SRM is running. Each slave SRM then passes toeach LRM a fault policy specific to each local process.

A master logging entity 431 also runs on central processor 12 and slavelogging entities 433 a-433 n run on each board. Notifications offailures and other events are sent by the master SRM, slave SRMs andLRMs to their local logging entity which then notifies the masterlogging entity. The master logging entity enters the event in a masterevent log file 435. Each local logging entity may also log local eventsin a local event log file 435 a-435 n.

In addition, a fault policy table 429 may be created in configurationdatabase 42 by the NMS when the user wishes to over-ride some or all ofthe default fault policy (see configurable fault policy below), and themaster and slave SRMs are notified of the fault policies through theactive query process.

Referring to FIG. 27, as one example, ATM application 110 includes manysub-processes including, for example, an LRM program 436, a PrivateNetwork-to-Network Interface (PNNI) program 437, an Interim LinkManagement Interface (ILMI) program 438, a Service Specific ConnectionOriented Protocol (SSCOP) program 439, and an ATM signaling (SIG)program 440. ATM application 110 may include many other sub-programsonly a few have been shown for convenience. Each sub-process may alsoinclude sub-processes, for example, ILMI sub-processes 438 a-438 n. Ingeneral, the upper level application (e.g., ATM 110) is assigned aprocess memory block that is shared by all its sub-processes.

If, for example, SSCOP 439 detects a fault, it notifies LRM 436. LRM 436passes the fault to local slave SRM 37 b, which catalogs the fault inthe ATM application's fault history and sends a notice to local slavelogging entity 433 b. The slave logging entity sends a notice to masterlogging entity 431, which may log the event in master log event file435. The local logging entity may also log the failure in local eventlog 435 a. LRM 436 also determines, based on the type of failure,whether it can fully resolve the error and do so without affecting otherprocesses outside its scope, for example, ATM 111-113, device drivers 43a-43 d and their sub-processes and processes running on other boards. Ifyes, then the LRM takes corrective action in accordance with its faultpolicy. Corrective action may include restarting SSCOP 439 or resettingit to a known state.

Since all sub-processes within an application, including the LRMsub-process, share the same memory space, it may be insufficient torestart or reset a failing sub-process (e.g., SSCOP 439). Hence, formost failures, the fault policy will cause the LRM to escalate thefailure to the local slave SRM. In addition, many failures will not bepresented to the LRM but will, instead, be presented directly to thelocal slave SRM. These failures are likely to have been detected byeither processor exceptions, OS errors or low-level system serviceerrors. Instead of failures, however, the sub-processes may notify theLRM of events that may require action. For example, the LRM may benotified that the PNNI message queue is growing quickly. The LRM's faultpolicy may direct it to request more memory from the operating system.The LRM will also pass the event to the local slave SRM as a non-fatalfault. The local slave SRM will catalog the event and log it with thelocal logging entity, which may also log it with the master loggingentity. The local slave SRM may take more severe action to recover froman excessive number of these nonfatal faults that result in memoryrequests.

If the event or fault (or the actions required to handle either) willaffect processes outside the LRM's scope, then the LRM notifies slaveSRM 37 b of the event or failure. In addition, if the LRM detects andlogs the same failure or event multiple times and in excess of apredetermined threshold set within the fault policy, the LRM mayescalate the failure or event to the next hierarchical scope bynotifying slave SRM 37 b. Alternatively or in addition, the slave SRMmay use the fault history for the application instance to determine whena threshold is exceeded and automatically execute its fault policy.

When slave SRM 37 b detects or is notified of a failure or event, itnotifies slave logging entity 435 b. The slave logging entity notifiesmaster logging entity 431, which may log the failure or event in masterevent log 435, and the slave logging entity may also log the failure orevent in local event log 435 b. Slave SRM 37 b also determines, based onthe type of failure or event, whether it can handle the error withoutaffecting other processes outside its scope, for example, processesrunning on other boards. If yes, then slave SRM 37 b takes correctiveaction in accordance with its fault policy and logs the fault.Corrective action may include re-starting one or more applications online card 16 a.

If the fault or recovery actions will affect processes outside the slaveSRM's scope, then the slave SRM notifies master SRM 36. In addition, ifthe slave SRM has detected and logged the same failure multiple timesand in excess of a predetermined threshold, then the slave SRM mayescalate the failure to the next hierarchical scope by notifying masterSRM 36 of the failure. Alternatively, the master SRM may use its faulthistory for a particular line card to determine when a threshold isexceeded and automatically execute its fault policy.

When master SRM 36 detects or receives notice of a failure or event, itnotifies slave logging entity 433 a, which notifies master loggingentity 431. The master logging entity 431 may log the failure or eventin master log file 435 and the slave logging entity may log the failureor event in local event log 435 a. Master SRM 36 also determines theappropriate corrective action based on the type of failure or event andits fault policy. Corrective action may require failing-over one or moreline cards 16 a-16 n or other boards, including central processor 12, toredundant backup boards or, where backup boards are not available,simply shutting particular boards down. Some failures may require themaster SRM to re-boot the entire computer system.

An example of a common error is a memory access error. As describedabove, when the slave SRM starts a newinstance of an application, itrequests a protected memory block from the local operating system. Thelocal operating systems assign each instance of an application one blockof local memory and then program the local memory management unit (MMU)hardware with which processes have access (read and/or write) to eachblock of memory. An MMU detects a memory access error when a processattempts to access a memory block not assigned to that process. Thistype of error may result when the process generates an invalid memorypointer. The MMU prevents the failing process from corrupting memoryblocks used by other processes (i.e., protected memory model) and sendsa hardware exception to the local processor. A local operating systemfault handler detects the hardware exception and determines whichprocess attempted the invalid memory access. The fault handler thennotifies the local slave SRM of the hardware exception and the processthat caused it. The slave SRM determines the application instance withinwhich the fault occurred and then goes through the process describedabove to determine whether to take corrective action, such as restartingthe application, or escalate the fault to the master SRM.

As another example, a device driver, for example, device driver 43 a maydetermine that the hardware associated with its port, for example, port44 a, is in a bad state. Since the failure may require the hardware tobe swapped out or failed-over to redundant hardware or the device driveritself to be re-started, the device driver notifies slave SRM 37 b. Theslave SRM then goes through the process described above to determinewhether to take corrective action or escalate the fault to the masterSRM.

As a third example, if a particular application instance repeatedlyexperiences the same software error but other similar applicationinstances running on different ports do not experience the same error,the slave SRM may determine that it is likely a hardware error. Theslave SRM would then notify the master SRM which may initiate afail-over to a backup board or, if no backup board exists, simply shutdown that board or only the failing port on that board. Similarly, ifthe master SRM receives failure reports from multiple boards indicatingEthernet failures, the master SRM may determine that the Ethernethardware is the problem and initiate a fail-over to backup Ethernethardware.

Consequently, the failure type and the failure policy determine at whatscope recovery action will be taken. The higher the scope of therecovery action, the larger the temporary loss of services. Speed ofrecovery is one of the primary considerations when establishing a faultpolicy. Restarting a single software process is much faster thanswitching over an entire board to a redundant board or re-booting theentire computer system. When a single process is restarted, only afraction of a card's services are affected. Allowing failures to behandled at appropriate hierarchical levels avoids unnecessary recoveryactions while ensuring that sufficient recovery actions are taken, bothof which minimize service disruption to customers.

Hierarchical Descriptors:

Hierarchical descriptors may be used to provide information specific toeach failure or event. The hierarchical descriptors provide granularitywith which to report faults, take action based on fault history andapply fault recovery policies. The descriptors can be stored in masterevent log file 435 or local event log files 435 a-435 n through whichfaults and events may be tracked and displayed to the user and allow forfault detection at a fine granular level and proactive response toevents. In addition, the descriptors can be matched with descriptors inthe fault policy to determine the recovery action to be taken.

Referring to FIG. 28, in one embodiment, a descriptor 441 includes a tophierarchical class field 442, a next hierarchical level sub-class field444, a lower hierarchical level type field 446 and a lowest levelinstance field 448. The class field indicates whether the failure orevent is related (or suspected to relate) to hardware or software. Thesubclass field categorizes events and failures into particular hardwareor software groups. For example, under the hardware class, subclassindications may include whether the fault or event is related to memory,Ethernet, switch fabric or network data transfer hardware. Under thesoftware class, subclass indications may include whether the fault orevent is a system fault, an exception or related to a specificapplication, for example, ATM.

The type field more specifically defines the subclass failure or event.For example, if a hardware class, Ethernet subclass failure hasoccurred, the type field may indicate a more specific type of Ethernetfailure, for instance, a cyclic redundancy check (CRC) error or a runtpacket error. Similarly, if a software class, ATM failure or event hasoccurred, the type field may indicate a more specific type of ATMfailure or event, for instance, a private network-to-network interface(PNNI) error or a growing message queue event. The instance fieldidentifies the actual hardware or software that failed or generated theevent. For example, with regard to a hardware class, Ethernet subclass,CRC type failure, the instance indicates the actual Ethernet port thatexperienced the failure. Similarly, with regard to a software class, ATMsubclass, PNNI type, the instance indicates the actual PNNI sub-programthat experienced the failure or generated the event.

When a fault or event occurs, the hierarchical scope that first detectsthe failure or event creates a descriptor by filling in the fieldsdescribed above. In some cases, however, the Instance field is notapplicable. The descriptor is sent to the local logging entity, whichmay log it in the local event log file before notifying the masterlogging entity, which may log it in the master event log file 435. Thedescriptor may also be sent to the local slave SRM, which tracks faulthistory based on the descriptor contents per application instance. Ifthe fault or event is escalated, then the descriptor is passed to thenext higher hierarchical scope.

When slave SRM 37 b receives the fault/event notification and thedescriptor, it compares it to descriptors in the fault policy for theparticular scope in which the fault occurred looking for a match or abest case match which will indicate the recovery procedure to follow.Fault descriptors within the fault policy can either be completedescriptors or have wildcards in one or more fields. Since thedescriptors are hierarchical from left to right, wildcards in descriptorfields only make sense from right to left. The fewer the fields withwildcards, the more specific the descriptor. For example, a particularfault policy may apply to all software faults and would, therefore,include a fault descriptor having the class field set to “software” andthe remaining fields—subclass, type, and instance—set to wildcard or“match all.” The slave SRM searches the fault policy for the best match(i.e., the most fields matched) with the descriptor to determine therecovery action to be taken.

Configurable Fault Policy:

In actual use, a computer system is likely to encounter scenarios thatdiffer from those in which the system was designed and tested.Consequently, it is nearly impossible to determine all the ways in whicha computer system might fail, and in the face of an unexpected error,the default fault policy that was shipped with the computer system maycause the hierarchical scope (master SRM, slave SRM or LRM) tounder-react or over-react. Even for expected errors, after a computersystem ships, certain recovery actions in the default fault policy maybe determined to be over aggressive or too lenient. Similar issues mayarise as new software and hardware is released and/or upgraded.

A configurable fault policy allows the default fault policy to bemodified to address behavior specific to a particular upgrade or releaseor to address behavior that was learned after the implementation wasreleased. In addition, a configurable fault policy allows users toperform manual overrides to suit their specific requirements and totailor their policies based on the individual failure scenarios thatthey are experiencing. The modification may cause the hierarchical scopeto react more or less aggressively to particular known faults or events,and the modification may add recovery actions to handle newly learnedfaults or events. The modification may also provide a temporary patchwhile a software or hardware upgrade is developed to fix a particularerror.

If an application runs out of memory space, it notifies the operatingsystem and asks for more memory. For certain applications, this isstandard operating procedure. As an example, an ATM application may haveset up a large number of virtual circuits and to continue setting upmore, additional memory is needed. For other applications, a request formore memory indicates a memory leak error. The fault policy may requirethat the application be re-started causing some service disruption. Itmay be that re-starting the application eventually leads to the sameerror due to a bug in the software. In this instance, while a softwareupgrade to fix the bug is developed, a temporary patch to the faultpolicy may be necessary to allow the memory leak to continue and preventrepeated application re-starts that may escalate to line card re-startor fail-over and eventually to a re-boot of the entire computer system.A temporary patch to the default fault policy may simply allow thehierarchical scope, for example, the local resiliency manager or theslave SRM, to assign additional memory to the application. Of course, aneventual re-start of the application is likely to be required if theapplication's leak consumes too much memory.

A temporary patch may also be needed while a hardware upgrade or fix isdeveloped for a particular hardware fault. For instance, under thedefault fault policy, when a particular hardware fault occurs, therecovery policy may be to fail-over to a backup board. If the backupboard includes the same hardware with the same hardware bug, forexample, a particular semiconductor chip, then the same error will occuron the backup board. To prevent a repetitive fail-over while a hardwarefix is developed, the temporary patch to the default fault policy may beto restart the device driver associated with the particular hardwareinstead of failing-over to the backup board.

In addition to the above needs, a configurable fault policy also allowspurchasers of computer system 10 (e.g., network service providers) todefine their own policies. For example, a network service provider mayhave a high priority customer on a particular port and may want allerrors and events (even minor ones) to be reported to the NMS anddisplayed to the network manager. Watching all errors and events mightgive the network manager early notice of growing resource consumptionand the need to plan to dedicate additional resources to this customer.

As another example, a user of computer system 10 may want to be notifiedwhen any process requests more memory. This may give the user earlynotice of the need to add more memory to their system or to move somecustomers to different line cards. Referring again to FIG. 26, to changethe default fault policy as defined by default fault policy (DFP) files430 a-430 n, a configuration fault policy file 429 is created by the NMSin the configuration database. An active query notification is sent bythe configuration database to the master SRM indicating the changes tothe default fault policy. The master SRM notifies any slave SRMs of anychanges to the default fault policies specific to the boards on whichthey are executing, and the slave SRMs notify any LRMs of any changes tothe default fault policies specific to their process. Going forward, thedefault fault policies—as modified by the configuration fault policy—areused to detect, track and respond to events or failures.

Alternatively, active queries may be established with the configurationdatabase for configuration fault policies specific to each board typesuch that the slave SRMs are notified directly of changes to theirdefault fault policies.

A fault policy (whether default or configured) is specific to aparticular scope and descriptor and indicates a particular recoveryaction to take. As one example, a temporary patch may be required tohandle hardware faults specific to a known bug in an integrated circuitchip. The configured fault policy, therefore, may indicate a scope ofall line cards, if the component is on all line cards, or only aspecific type of line card that includes that component. The configuredfault policy may also indicate that it is to be applied to all hardwarefaults with that scope, for example, the class will indicate hardware(HW) and all other fields will include wildcards (e.g., HW.*.*.*).Instead, the configured fault policy may only indicate a particular typeof hardware failure, for example, CRC errors on transmitted Ethernetpackets (e.g., HW.Ethernet.TxCRC.*).

Redundancy:

As previously mentioned, a major concern for service providers isnetwork downtime. In pursuit of “five 9's availability” or 99.999%network up time, service providers must minimize network outages due toequipment (i.e., hardware) and all too common software failures.Developers of computer systems often use redundancy measures to minimizedowntime and enhance system resiliency. Redundant designs rely onalternate or backup resources to overcome hardware and/or softwarefaults. Ideally, the redundancy architecture allows the computer systemto continue operating in the face of a fault with minimal servicedisruption, for example, in a manner transparent to the serviceprovider's customer.

Generally, redundancy designs come in two forms: 1:1 and 1:N. In aso-called “1:1 redundancy” design, a backup element exists for everyactive or primary element (i.e., hardware backup). In the event that afault affects a primary element, a corresponding backup element issubstituted for the primary element. If the backup element has not beenin a “hot” state (i.e., software backup), then the backup element mustbe booted, configured to operate as a substitute for the failingelement, and also provided with the “active state” of the failingelement to allow the backup element to take over where the failedprimary element left off. The time required to bring the software on thebackup element to an “active state” is referred to as synchronizationtime. A long synchronization time can significantly disrupt systemservice, and in the case of a computer network device, ifsynchronization is not done quickly enough, then hundreds or thousandsof network connections may be lost which directly impacts the serviceprovider's availability statistics and angers network customers.

To minimize synchronization time, many 1:1 redundancy schemes supporthot backup of software, which means that the software on the backupelements mirror the software on the primary elements at some level. The“hotter” the backup element—that is, the closer the backup mirrors theprimary—the faster a failed primary can be switched over or failed overto the backup. The “hottest” backup element is one that runs hardwareand software simultaneously with a primary element conducting alloperations in parallel with the primary element. This is referred to asa “1+1 redundancy” design and provides the fastest synchronization.

Significant costs are associated with 1:1 and 1+1 redundancy. Forexample, additional hardware costs may include duplicate memorycomponents and printed circuit boards including all the components onthose boards. The additional hardware may also require a largersupporting chassis. Space is often limited, especially in the case ofnetwork service providers who may maintain hundreds of network devices.Although 1:1 redundancy improves system reliability, it decreasesservice density. Service density refers to the proportionality betweenthe net output of a particular device and its gross hardware capability.Net output, in the case of a network device (e.g., switch or router),might include, for example, the number of calls handled per second.Redundancy adds to gross hardware capability but not to the net outputand, thus, decreases service density. Likewise, hot backup comes at theexpense of system power. Each active element consumes some amount of thelimited power available to the system. In general, the 1+1 or 1:1redundancy designs provide the highest reliability but at a relativelyhigh cost. Due to the importance of network availability, most networkservice providers prefer the 1+1 redundancy design to minimize networkdowntime.

In a 1:N redundancy design, instead of having one backup element perprimary element, a single backup element or spare is used to backupmultiple (N) primary elements. As a result, the 1:N design is generallyless expensive to manufacture, offers greater service density than the1:1 design and requires a smaller chassis/less space than a 1:1 design.One disadvantage of such a system, however, is that once a primaryelement fails over to the backup element, the system is no longerredundant (i.e., no available backup element for any primary element).Another disadvantage relates to hot state backup. Because one backupelement must support multiple primary elements, the typical 1:N designprovides no hot state on the backup element leading to longsynchronization times and, for network devices, the likelihood thatconnections will be dropped and availability reduced.

Even where the backup element provides some level of hot state backup itgenerally lacks the processing power and memory to provide a full hotstate backup (i.e., 1+N) for all primary elements. To enable some levelof hot state backup for each primary element, the backup element isgenerally a “mega spare” equipped with a more powerful processor andadditional memory. This requires customers to stock more hardware thanin a design with identical backup and primary elements. For instance,users typically maintain extra hardware in the case of a failure. If aprimary fails over to the backup, the failed primary may be replacedwith a new primary. If the primary and backup elements are identical,then users need only stock that one type of board, that is, a failedbackup is also replaced with the same hardware used to replace thefailed primary. If they are different, then the user must stock eachtype of board, thereby increasing the user's cost.

Distributed Redundancy:

A distributed redundancy architecture spreads software backup (hotstate) across multiple elements. Each element may provide softwarebackup for one or more other elements. For software backup alone,therefore, the distributed redundancy architecture eliminates the needfor hardware backup elements (i.e., spare hardware). Where hardwarebackup is also provided, spreading resource demands across multipleelements makes it possible to have significant (perhaps fill) hot statebackup without the need for a mega spare. Identical backup (spare) andprimary hardware provides manufacturing advantages and customerinventory advantages. A distributed redundancy design is less expensivethan many 1:1 designs and a distributed redundancy architecture alsopermits the location of the hardware backup element to float, that is,if a primary element fails over to the backup element, when the failedprimary element is replaced, that new hardware may serve as the hardwarebackup.

Software Redundancy:

In its simplest form, a distributed redundancy system provides softwareredundancy (i.e., backup) with or without redundant (i.e., backup)hardware, for example, with or without using backup line card 16 n asdiscussed earlier with reference to the logical to physical card table(FIG. 11a). Referring to FIG. 29, computer system 10 includes primaryline cards 16 a, 16 b and 16 c. Computer system 10 will likely includeadditional primary line cards; only three are discussed herein (andshown in FIG. 29) for convenience. As described above, to load instancesof software applications, the NMS creates software load records (SLR)128 a-128 n in configuration database 42. The SLR includes the name of acontrol shim executable file and a logical identification (LID)associated with a primary line card on which the application is to bespawned. In the current example, there either are no hardware backupline cards or, if there are, the slave SRM executing on that line carddoes not download and execute backup applications.

As one example, NMS 60 creates SLR 128 a including the executable nameatm_cntrl.exe and card LID 30 (line card 16 a), SLR 128 b includingatm_cntrl.exe and LID 31 (line card 16 b) and SLR 128 c includingatm_cntrl.exe and LID 32 (line card 16 c). The configuration databasedetects LID 30, 31 and 32 in SLRs 128 a, 128 b and 128 c, respectively,and sends slave SRMs 37 b, 37 c and 37 d (line cards 16 a, 16 b, and 16c) notifications including the name of the executable file (e.g.,atm_cntrl.exe) to be loaded. The slave SRMs then download and execute acopy of atm_cntrl.exe 135 from memory 40 to spawn ATM controllers 136 a,136 b and 136 c.

Through the active query feature, the ATM controllers are sent recordsfrom group table (GT) 108′ (FIG. 30) indicating how many instances ofATM each must start on their associated line cards. Group table 108′includes a primary line card LID field 447 and a backup line card LIDfield 449 such that, in addition to starting primary instances of ATM,each primary line card also executes backup instances of ATM. Forexample, ATM controller 136 a receives records 450-453 and 458-461 fromgroup table 108′ including LID 30 (line card 16 a). Records 450-453indicate that ATM controller 136 a is to start four primaryinstantiations of ATM 464-467 (FIG. 29), and records 458-461 indicatethat ATM controller 136 a is to start four backup instantiations of ATM468-471 as backup for four primary instantiations on LID 32 (line card16 c). Similarly, ATM controller 136 b receives records 450-457 fromgroup table 108′ including LID 31 (line card 16 b). Records 454-457indicate that ATM controller 136 b is to start four primaryinstantiations of ATM 472-475, and records 450-453 indicate that ATMcontroller 136 b is to start four backup instantiations of ATM 476-479as backup for four primary instantiations on LID 30 (line card 16 a).ATM controller 136 c receives records 454-461 from group table 108′including LID 32 (line card 16 c). Records 458-461 indicate that ATMcontroller 136 c is to start four primary instantiations of ATM 480-483,and records 454-457 indicate that ATM controller 136 c is to start fourbackup instantiations of ATM 484-487 as backup for four primaryinstantiations on LID 31 (line card 16 b). ATM controllers 136 a, 136 band 136 c then download atm.exe 138 and generate the appropriate numberof ATM instantiations and also indicate to each instantiation whether itis a primary or backup instantiation. Alternatively, the ATM controllersmay download atm.exe and generate the appropriate number of primary ATMinstantiations and download a separate backup_atm.exe and generate theappropriate number of backup ATM instantiations.

Each primary instantiation registers with its local name server 220b-220 d, as described above, and each backup instantiation subscribes toits local name server 220 b-220 d for information about itscorresponding primary instantiation. The name server passes each backupinstantiation at least the process identification number assigned to itscorresponding primary instantiation, and with this, the backupinstantiation sends a message to the primary instantiation to set up adynamic state check-pointing procedure. Periodically or asynchronouslyas state changes, the primary instantiation passes dynamic stateinformation to the backup instantiation (i.e., check-pointing). In oneembodiment, a Redundancy Manager Service available from Harris andJefferies of Dedham, Mass. may be used to allow backup and primaryinstantiations to pass dynamic state information. If the primaryinstantiation fails, it can be re-started, retrieve its last knowndynamic state from the backup instantiation and then initiate an auditprocedure (as described above) to resynchronize with other processes.The retrieval and audit process will normally be completed very quickly,resulting in no discernable service disruption.

Although each line card in the example above is instructed by the grouptable to start four instantiations of ATM, this is by way of exampleonly. The user could instruct the NMS to set up the group table to haveeach line card start one or more instantiations and to have each linecard start a different number of instantiations.

Referring to FIGS. 31a-31 c, if one or more of the primary processes onelement 16 a (ATM 464-467) experiences a software fault (FIG. 31b), theprocessor on line card 16 a may terminate and restart the failingprocess or processes. Once the process or processes are restarted (ATM464′-467′, FIG. 31c), they retrieve a copy of the last known dynamicstate (i.e., backup state) from corresponding backup processes (ATM476-479) executing on line card 16 b and initiate an audit process tosynchronize retrieved state with the dynamic state of associated otherprocesses. The backup state represents the last known active or dynamicstate of the process or processes prior to termination, and retrievingthis state from line card 16 b allows the restarted processes on linecard 16 a to quickly resynchronize and continue operating. The retrievaland audit process will normally be completed very quickly, and in thecase of a network device, quick resynchronization may avoid losingnetwork connections, resulting in no discernable service disruption.

If, instead of restarting a particular application, the software faultexperienced by line card 16 a requires the entire element to be shutdown and rebooted, then all of the processes executing on line card 16 awill be terminated including backup processes ATM 468-471. When theprimary processes are restarted, backup state information is retrievedfrom backup processes executing on line card 16 b as explained above.Simultaneously, the restarted backup processes on line card 16 a againinitiate the check-pointing procedure with primary ATM processes 480-483executing on line card 16 c to again serve as backup processes for theseprimary processes. Referring to FIGS. 32a-32 c, the primary processesexecuting on one line card may be backed-up by backup processes runningon one or more other line cards. In addition, each primary process maybe backed-up by one or more backup processes executing on one or more ofthe other line cards.

Since the operating system assigns each process its own memory block,each primary process may be backed-up by a backup process running on thesame line card. This would minimize the time required to retrieve backupstate and resynchronize if a primary process fails and is restarted. Ina computer system that includes a spare or backup line card (describedbelow), the backup state is best saved on another line card such that inthe event of a hardware fault, the backup state is not lost and can becopied from the other line card. If memory and processor limitationspermit, backup processes may run simultaneously on the same line card asthe primary process and on another line card such that software faultsare recovered from using local backup state and hardware faults arerecovered from using remote backup state.

Where limitations on processing power or memory make full hot statebackup impossible or impractical, only certain hot state data will bestored as backup. The level of hot state backup is inverselyproportional to the resynchronization time, that is, as the level of hotstate backup increases, resynchronization time decreases. For a networkdevice, backup state may include critical information that allows theprimary process to quickly resynchronize.

Critical information for a network device may include connection datarelevant to established network connections (e.g., call set upinformation and virtual circuit information). For example, after primaryATM applications 464-467, executing on line card 16 a, establish networkconnections, those applications send critical state information relevantto those connections to backup ATM applications 479-476 executing online card 16 b. Retrieving connection data allows the hardware (i.e.,line card 16 a) to send and receive network data over the previouslyestablished network connections preventing these connections from beingterminated/dropped.

Although ATM applications were used in the examples above, this is byway of example only. Any application (e.g., IP or MPLS), process (e.g.,MCD or NS) or device driver (e.g., port driver) may have a backupprocess started on another line card to store backup state through acheck-pointing procedure.

Hardware and Software Backup:

By adding one or more hardware backup elements (e.g., line card 16 n) tothe computer system, the distributed redundancy architecture providesboth hardware and software backup. Software backup may be spread acrossall of the line cards or only some of the line cards. For example,software backup may be spread only across the primary line cards, onlyon one or more backup line cards or on a combination of both primary andbackup line cards.

Referring to FIG. 33a, in the continuing example, line cards 16 a, 16 band 16 c are primary hardware elements and line card 16 n is a spare orbackup hardware element. In this example, software backup is spreadacross only the primary line cards. Alternatively, backup line card 16 nmay also execute backup processes to provide software backup. Backupline card 16 n may execute all backup processes such that the primaryelements need not execute any backup processes or line card 16 n mayexecute only some of the backup processes. Regardless of whether backupline card 16 n executes any backup processes, it is preferred that linecard 16 n be at least partially operational and ready to use the backupprocesses to quickly begin performing as if it was a failed primary linecard.

There are many levels at which a backup line card may be partiallyoperational. For example, the backup line card's hardware may beconfigured and device driver processes 490 loaded and ready to execute.In addition, the active state of the device drivers 492, 494, and 496 oneach of the primary line cards may be stored as backup device driverstate (DDS) 498, 500, 502 on backup line card 16 n such that after aprimary line card fails, the backup device driver state corresponding tothat primary element is used by device driver processes 490 to quicklysynchronize the hardware on backup line card 16 n. In addition, datareflecting the network connections established by each primary processmay be stored within each of the backup processes or independently onbackup line card 16 n, for example, connection data (CD) 504, 506, 508.Having a copy of the connection data on the backup line card allows thehardware to quickly begin transmitting network data over previouslyestablished connections to avoid the loss of these connections andminimize service disruption. The more operational (i.e., hotter) backupline card 16 n is the faster it will be able to transfer data overnetwork connections previously established by the failed primary linecard and resynchronize with the rest of the system.

In the case of a primary line card hardware fault, the backup or spareline card takes the place of the failed primary line card. The backupline card starts new primary processes that register with the nameserver on the backup line card and begin retrieving active state frombackup processes associated with the original primary processes. Asdescribed above, the same may also be true for software faults.Referring to FIG. 33b, if, for example, line card 16 a in computersystem 10 is affected by a fault, the slave SRM executing on backup linecard 16 n may start new primary processes 464′-467′ corresponding to theoriginal primary processes 464-467. The new primary processes registerwith the name server process executing on line card 16 n and beginretrieving active state from backup processes 476-479 on line card 16 b.This is referred to as a “fail-over” from failed primary line card 16 ato backup line card 16 n.

As discussed above, preferably, backup line card 16 n is partiallyoperational. While active state is being retrieved from backup processeson line card 16 b, device driver processes 490 use device driver state502 and connection data 508 corresponding to failed primary line card 16a to quickly continue passing network data over previously establishedconnections. Once the active state is retrieved then the ATMapplications resynchronize and may begin establishing new connectionsand tearing down old connections.

Floating Backup Element:

Referring to FIG. 33c, when the fault is detected on line card 16 a,diagnostic tests may be run to determine if the error was caused bysoftware or hardware. If the fault is a software error, then line card16 a may again be used as a primary line card. If the fault is ahardware error, then line card 16 a is replaced with a new line card 16a′ that is booted and configured and again ready to be used as a primaryelement. In one embodiment, once line card 16 a or 16 a′ is ready toserve as a primary element, a fail-over is initiated from line card 16 nto line card 16 a or 16 a′ as described above, including starting newprimary processes 464″-467″ and retrieving active state from primaryprocesses 464′-467′ on line card 16 n (or backup processes 476-479 online card 16 b). Backup processes 468″-471″ are also started, and thosebackup processes initiate a check-pointing procedure with primaryprocesses 480-483 on line card 16 c. This fail-over may cause the samelevel of service interruption as an actual failure.

Instead of failing-over from line card 16 n back to line card 16 a or 16a′ and risking further service disruption, line card 16 a or 16 a′ mayserve as the new backup line card with line card 16 n serving as theprimary line card. If line cards 16 b, 16 c or 16 n experience a fault,a fail-over to line card 16 a is initiated as discussed above and theprimary line card that failed (or a replacement of that line card)serves as the new backup line card. This is referred to as a “floating”backup element. Referring to FIG. 33d, if, for example, line card 16 cexperiences a fault, primary processes 480′-483′ are started on backupline card 16 a and active state is retrieved from backup processes464′-467′ on line card 16 n. After line card 16 c is rebooted orreplaced and rebooted, it serves as the new backup line card for primaryline cards 16 a, 16 b and 16 n.

Alternatively, computer system 10 may be physically configured to onlyallow a line card in a particular chassis slot, for example, line card16 n, to serve as the backup line card. This may be the case wherephysically, the slot line card 16 n is inserted within is wired toprovide the necessary connections to allow line card 16 n to communicatewith each of the other line cards but no other slot provides theseconnections. In addition, even where the computer system is capable ofallowing line cards in other chassis slots to act as the backup linecard, the person acting as network manager, may prefer to have thebackup line card in each of his computer systems in the same slot. Ineither case, where only line card 16 n serves as the backup line card,once line card 16 a (or any other failed primary line card) is ready toact as a primary line card again, a fail-over, as described above, isinitiated from line card 16 n to the primary line card to allow linecard 16 n to again serve as a backup line card to each of the primaryline cards.

Balancing Resources:

Typically, multiple processes or applications are executed on eachprimary line card. Referring to FIG. 34a, in one embodiment, eachprimary line card 16 a, 16 b, 16 c executes four applications. Due tophysical limitations (e.g., memory space, processor power), each primaryline card may not be capable of fully backing up four applicationsexecuting on another primary line card. The distributed redundancyarchitecture allows backup processes to be spread across multiple linecards, including any backup line cards, to more efficiently use allsystem resources.

For instance, primary line card 16 a executes backup processes 510 and512 corresponding to primary processes 474 and 475 executing on primaryline card 16 b. Primary line card 16 b executes backup processes 514 and516 corresponding to primary processes 482 and 483 executing on primaryline card 16 c, and primary line card 16 c executes backup processes 518and 520 corresponding to primary processes 466 and 467 executing onprimary line card 16 a. Backup line card 16 n executes backup processes520, 522, 524, 526, 528 and 530 corresponding to primary processes 464,465, 472, 473, 480 and 481 executing on each of the primary line cards.Having each primary line card execute backup processes for only twoprimary processes executing on another primary line card reduces theprimary line card resources required for backup. Since backup line card16 n is not executing primary processes, more resources are availablefor backup. Hence, backup line card 16 n executes six backup processescorresponding to six primary processes executing on primary line cards.In addition, backup line card 16 n is partially operational and isexecuting device driver processes 490 and storing device driver backupstate 498, 500 and 502 corresponding to the device drivers on each ofthe primary elements and network connection data 504, 506 and 508corresponding to the network connections established by each of theprimary line cards.

Alternatively, each primary line card could execute more or less thantwo backup processes. Similarly, each primary line card could execute nobackup processes and backup line card 16 n could execute all backupprocesses. Many alternatives are possible and backup processes need notbe spread evenly across all primary line cards or all primary line cardsand the backup line card.

Referring to FIG. 5b, if primary line card 16 b experiences a failure,device drivers 490 on backup line card 16 n begins using the devicedriver state, for example, DDS 498, corresponding to the device driverson primary line card 16 b and the network connection data, for example,CD 506, corresponding to the connections established by primary linecard 16 b to continue transferring network data. Simultaneously, backupline card 16 n starts substitute primary processes 510′ and 512′corresponding to the primary processes 474 and 475 on failed primaryline card 16 b. Substitute primary processes 510′ and 512′ retrieveactive state from backup processes 510 and 512 executing on primary linecard 16 a. In addition, the slave SRM on backup line card 16 n informsbackup processes 526 and 524 corresponding to primary processes 472 and473 on failed primary line card 16 b that they are now primaryprocesses. The new primary applications then synchronize with the restof the system such that new network connections may be established andold network connections torn down. That is, backup line card 16 n beginsoperating as if it were primary line card 16 b.

Multiple Backup Elements:

In the examples given above, one backup line card is shown.Alternatively, multiple backup line cards may be provided in a computersystem. In one embodiment, a computer system includes multiple differentprimary line cards. For example, some primary line cards may support theAsynchronous Transfer Mode (ATM) protocol while others support theMulti-Protocol Label Switching (MPLS) protocol, and one backup line cardmay be provided for the ATM primary line cards and another backup linecard may be provided for the MPLS primary line cards. As anotherexample, some primary line cards may support four ports while otherssupport eight ports and one backup line card may be provided for thefour port primaries and another backup line card may be provided for theeight port primaries. One or more backup line cards may be provided foreach different type of primary line card.

Data Plane:

Referring to FIG. 35, a network device 540 includes a central processor542, a redundant central processor 543 and a Fast Ethernet control bus544 similar to central processors 12 and 13 and Ethernet 32 discussedabove with respect to computer system 10. In addition, network device540 includes forwarding cards (FC) 546 a-546 e, 548 a-548 e, 550 a-550eand 552 a-552 e that are similar to line cards 16 a-16 n discussedabove with respect to computer system 10. Network device 540 alsoincludes (and computer system 10 may also include) universal port (UP)cards 554 a-554 h, 556 a-556 h, 558 a-558 h, and 560 a-560 h,cross-connection (XC) cards 562 a-562 b, 564 a-564 b, 566 a-566 b, and568 a-568 b, and switch fabric (SF) cards 570 a-570 b. In oneembodiment, network device 540 includes four quadrants where eachquadrant includes five forwarding cards (e.g., 546 a-546 e), two crossconnection cards (e.g., 562 a-562 b) and eight universal port cards(e.g., 554 a-554 h). Network device 540 is a distributed processingsystem. Each of the cards includes a processor and is connected to theEthernet control bus.

In one embodiment, the forwarding cards have a 1:4 hardware redundancystructure and distributed software redundancy as described above. Forexample, forwarding card 546 e is the hardware backup for primaryforwarding cards 546 a-546 d and each of the forwarding cards providesoftware backup. The cross-connection cards are 1:1 redundant. Forexample, cross-connection card 562 b provides both hardware and softwarebackup for cross-connection card 562 a. Each port on the universal portcards may be 1:1, 1+1, 1:N redundant or not redundant at all dependingupon the quality of service paid for by the customer associated withthat port. For example, port cards 554 e-554 h may be the hardware andsoftware backup cards for port cards 554 a-554 d in which case the portcards are 1:1 or 1+1 redundant. As another example, one or more ports onport card 554 a may be backed-up by separate ports on one or more portcards (e.g., port cards 554 b and 554 c) such that each port is 1:1 or1+1 redundant, one or more ports on port card 554 a may not be backed-upat all (i.e., not redundant) and two or more ports on 554 a may bebacked-up by one port on another port card (e.g., port card 554 b) suchthat those ports are 1:N redundant. Many redundancy structures arepossible.

Each port card includes one or more ports for connecting to externalnetwork connections. One type of network connection is an optical fibercarrying an OC-48 SONET stream, and as described above, an OC-48 SONETstream may include connections to one or more end points using one ormore paths. A SONET fiber carries a time division multiplexed (TDM) bytestream of aggregated time slots (TS). A time slot has a bandwidth of 51Mbps and is the fundamental unit of bandwidth for SONET. An STS-1 pathhas one time slot within the byte stream dedicated to it, while anSTS-3c path (i.e., three concatenated STS-1s) has three time slotswithin the byte stream dedicated to it. The same or different protocolsmay be carried over different paths within the same TDM byte stream. Inother words, ATM over SONET may be carried on an STS-1 path within a TDMbyte stream that also includes IP over SONET on another STS-1 path or onan STS-3c path.

Through network management system 60 on workstation 62, after a userconnects an external network connection to a port, the user may enablethat port and one or more paths within that port (described below). Datareceived on a port card path is passed to the cross-connection card inthe same quadrant as the port card, and the cross-connection card passesthe path data to one of the five forwarding cards or eight port cardsalso within the same quadrant. The forwarding card determines whetherthe payload (e.g., packets, frames or cells) it is receiving includesuser payload data or network control information. The forwarding carditself processes certain network control information and sends certainother network control information to the central processor over the FastEthernet control bus. The forwarding card also generates network controlpayloads and receives network control payloads from the centralprocessor. The forwarding card sends any user data payloads from thecross-connection card or control information from itself or the centralprocessor as path data to the switch fabric card. The switch fabric cardthen passes the path data to one of the forwarding cards in anyquadrant, including the forwarding card that just sent the data to theswitch fabric card. That forwarding card then sends the path data to thecross-connection card within its quadrant, which passes the path data toone of the port cards within its quadrant.

Referring to FIG. 36, in one embodiment, a universal port card 554 aincludes one or more ports 571 a-571 n connected to one or moretransceivers 572 a-572 n. The user may connect an external networkconnection to each port. As one example, port 571 a is connected to aningress optical fiber 576 a carrying an OC-48 SONET stream and an egressoptical fiber 576 b carrying an OC-48 SONET stream. Port 571 a passesoptical data from the SONET stream on fiber 576 a to transceiver 572 a.Transceiver 572 a converts the optical data into electrical signals thatit sends to a SONET framer 574 a. The SONET framer organizes the data itreceives from the transceiver into SONET frames. SONET framer 574 asends data over a telecommunications bus 578 a to aserializer-deserializer (SERDES) 580 a that serializes the data intofour serial lines with twelve STS-1 time slots each and transmits thefour serial lines to cross-connect card 562 a.

Each cross-connection card is a switch that provides connections betweenport cards and forwarding cards within its quadrant. Eachcross-connection card is programmed to transfer each serial line on eachport card within its quadrant to a forwarding card within its quadrantor to serial line on a port card, including the port card thattransmitted the data to the cross-connection card. The programming ofthe cross-connect card is discussed in more detail below under PolicyBased Provisioning.

Each forwarding card (e.g., forwarding card 546 c) receives SONET framesover serial lines from the cross-connection card in its quadrant througha payload extractor chip (e.g., payload extractor 582 a). In oneembodiment, each forwarding card includes four payload extractor chipswhere each payload extractor chip represents a “slice” and each serialline input represents a forwarding card “port”. Each payload extractorchip receives four serial line inputs, and since each serial lineincludes twelve STS-1 time slots, the payload extractor chips combineand separate time slots where necessary to output data paths with theappropriate number of time slots. Each STS-1 time slot may represent aseparate data path, or multiple STS-1 time slots may need to be combinedto form a data path. For example, an STS-3c path requires thecombination of three STS-1 time slots to form a data path while anSTS-48c path requires the combination of all forty-eight STS-1 timeslots. Each path represents a separate network connection, for example,an ATM cell stream.

The payload extractor chip also strips off all vestigial SONET frameinformation and transfers the data path to an ingress interface chip.The ingress interface chip will be specific to the protocol of the datawithin the path. As one example, the data may be formatted in accordancewith the ATM protocol and the ingress interface chip is an ATM interfacechip (e.g., ATM IF 584 a). Other protocols can also be implementedincluding, for example, Internet Protocol (IP), Multi-Protocol LabelSwitching (MPLS) protocol or Frame Relay.

The ingress ATM IF chip performs many functions including determiningconnection information (e.g., virtual circuit or virtual pathinformation) from the ATM header in the payload. The ATM IF chip usesthe connection information as well as a forwarding table to perform anaddress translation from the external address to an internal address.The ATM IF chip passes ATM cells to an ingress bridge chip (e.g., BG 586a-586 b) which serves as an interface to an ingress traffic managementchip or chip set (e.g., TM 588 a-588 n).

The traffic management chips ensure that high priority traffic, forexample, voice data, is passed to switch fabric card 570 a faster thanlower priority traffic, for example, e-mail data. The traffic managementchips may buffer lower priority traffic while higher priority traffic istransmitted, and in times of traffic congestion, the traffic managementchips will ensure that low priority traffic is dropped prior to any highpriority traffic. The traffic management chips also perform an addresstranslation to add the address of the traffic management chip to whichthe data is going to be sent by the switch fabric card. The addresscorresponds to internal virtual circuits set up between forwarding cardsby the software and available to the traffic management chips in tables.

The traffic management chips send the modified ATM cells to switchfabric interface chips (SFIF) 589 a-589 n that then transfer the ATMcells to switch fabric card 570 a. The switch fabric card uses theaddress provided by the ingress traffic management chips to pass ATMcells to the appropriate egress traffic management chips (e.g., TM 590a-590 n) on the various forwarding cards. In one embodiment, the switchfabric card 570 a is a 320 Gbps, non-blocking fabric. Since eachforwarding card serves as both an ingress and egress, the switchingfabric card provides a high degree of flexibility in directing the databetween any of the forwarding cards, including the forwarding card thatsent the data to the switch fabric card.

When a forwarding card (e.g., forwarding card 546 c) receives ATM cellsfrom switch fabric card 570 a, the egress traffic management chipsre-translate the address of each cell and pass the cells to egressbridge chips (e.g., BG 592 a-592 b). The bridge chips pass the cells toegress ATM interface chips (e.g., ATM IF 594 a-594 n), and the ATMinterface chips add a re-translated address to the payload representingan ATM virtual circuit. The ATM interface chips then send the data tothe payload extractor chips (e.g., payload extractor 582 a-582 n) thatseparate, where necessary, the path data into STS-1 time slots andcombine twelve STS-1 time slots into four serial lines and send theserial lines back through the cross-connection card to the appropriateport card.

The port card SERDES chips receive the serial lines from thecross-connection card and de-serialize the data and send it to SONETframer chips 574 a-574 n. The Framers properly format the SONET overheadand send the data back through the transceivers that change the datafrom electrical to optical before sending it to the appropriate port andSONET fiber.

Although the port card ports above were described as connected to aSONET fiber carrying an OC-48 stream, other SONET fibers carrying otherstreams (e.g., OC-12) and other types of fibers and cables, for example,Ethernet, may be used instead. The transceivers are standard partsavailable from many companies, including Hewlett Packard Company andSumitomo Corporation. The SONET framer may be a Spectra chip availablefrom PMC-Sierra, Inc. in British Columbia. A Spectra 2488 has a maximumbandwidth of 2488 Mbps and may be coupled with a 1×OC48 transceivercoupled with a port connected to a SONET optical fiber carrying an OC-48stream also having a maximum bandwidth of 2488 Mbps. Instead, four SONEToptical fibers carrying OC-12 streams each having a maximum bandwidth of622 Mbps may be connected to four 1×OC12 transceivers and coupled withone Spectra 2488.

Alternatively, a Spectra 4×155 may be coupled with four OC-3transceivers that are coupled with ports connected to four SONET fiberscarrying OC-3 streams each having a maximum bandwidth of 155 Mbps. Manyvariables are possible.

The SERDES chip may be a Telecommunications Bus Serializer (TBS) chipfrom PMC-Sierra, and each cross-connection card may include a TimeSwitch Element (TSE) from PMC-Sierra, Inc. Similarly, the payloadextractor chips may be MACH 2488 chips and the ATM interface chips maybe ATLAS chips both of which are available from PMC-Sierra. Severalchips are available from Extreme Packet Devices (EPD), a subsidiary ofPMC-Sierra, including PP3 bridge chips and Data Path Element (DPE)traffic management chips. The switch fabric interface chips may includea Switch Fabric Interface (SIF) chip also from EPD. Other switch fabricinterface chips are available from Abrizio, also a subsidiary ofPMC-Sierra, including a data slice chip and an enhanced port processor(EPP) chip. The switch fabric card may also include chips from Abrizio,including a cross-bar chip and a scheduler chip.

Although the port cards, cross-connection cards and forwarding cardshave been shown as separate cards, this is by way of example only andthey may be combined into one or more different cards.

Policy Based Provisioning:

Unlike the switch fabric card, the cross-connection card does notexamine header information in a payload to determine where to send thedata. Instead, the cross-connection card is programmed to transmitpayloads, for example, SONET frames, between a particular serial line ona universal port card port and a particular serial line on a forwardingcard port regardless of the information in the payload. As a result, oneport card serial line and one forwarding card serial line will transmitdata to each other through the cross-connection card until thatprogrammed connection is changed.

In one embodiment, connections established through a path table andservice endpoint table (SET) in a configuration database are passed topath managers on port cards and service endpoint managers (SEMs) onforwarding cards, respectively. The path managers and service endpointmanagers then communicate with a cross-connect manager (CCM) on thecross-connection card in their quadrant to provide connectioninformation. The CCM uses the connection information to generate aconnection program table that is used by one or more components (e.g., aTSE chip 563) to program internal connection paths through thecross-connection card.

Typically, connections are fixed or are generated according to apredetermined map with a fixed set of rules. Unfortunately, a fixed setof rules may not provide flexibility for future network device changesor the different needs of different users/customers. Instead, withinnetwork device 540, each time a user wishes to enable/configure a pathon a port on a universal port card, a Policy Provisioning Manager (PPM)599 (FIG. 37) executing on central processor 542 selects the forwardingcard port to which the port card port will be connected based on aconfigurable provisioning policy (PP) 603 in configuration database 42.The configurable provisioning policy may take into consideration manyfactors such as available system resources, balancing those resourcesand quality of service. Similar to other programs and files storedwithin the configuration database of computer system 10 described above,the provisioning policy may be modified while network device 540 isrunning to allow to policy to be changed according to a user's changingneeds or changing network device system requirements.

When a user connects an external network connection to a particular porton a universal port card, the user notifies the NMS as to which port onwhich universal port card should be enabled, which path or paths shouldbe enabled, and the number of time slots in each path. The user may alsonotify the NMS as to a new path and its number of time slots on analready enabled port that was not fully utilized or the user may notifythe NMS of a modification to one or more paths on already enabled portsand the number of time slots required for that path or paths. With thisinformation, the NMS fills in a Path table 600 (FIGS. 37 and 38) andpartially fills in a Service Endpoint Table (SET) 76′ (FIGS. 37 and 39).

When a record in the path table is filled in, the configuration databasesends an active query notification to a path manager (e.g., path manager597) executing on a universal port card (e.g., port card 554 a)corresponding to the universal port card port LID (e.g., port 1231, FIG.38) in the path table record (e.g., record 602).

Leaving some fields in the SET blank or assigning a particular value(e.g., zero), causes the configuration database to send an active querynotification to Policy Provisioning Manager (PPM) 599. The PPM thendetermines—using provisioning policy 603—which forwarding card (FC) portor ports to assign to the new path or paths. For example, the PPM mayfirst compare the new path's requirements, including its protocol (e.g.,ATM over SONET), the number of time slots, the number of virtualcircuits and virtual circuit scheduling restrictions, to the availableforwarding card resources in the quadrant containing the universal portcard port and path. The PPM also takes other factors into considerationincluding quality of service, for example, redundancy requirements ordedicated resource requirements, and balancing resource usage (i.e.,load balancing) evenly within a quadrant.

As an example, a user connects SONET optical fiber 576 a (FIG. 36) toport 571 a on universal port card 554 a and wants to enable a path withthree time slots (i.e., STS-3c). The NMS assigns a path LID number(e.g., path LID 1666) and fills in a record (e.g., row 602) in PathTable 600 to include path LID 1666, a universal port card port LID(e.g., UP port LID 1231) previously assigned by the NMS and retrievedfrom the Logical to Physical Port Table, the first time slot (e.g., timeslot 4) in the SONET stream corresponding with the path and the totalnumber of time slots—in this example, 3—in the path. Other informationmay also be filled into Path Table 600.

The NMS also partially fills in a record (e.g., row 604) in SET 76′ byfilling in the quadrant number—in this example, 1—and the assigned pathLID 1666 and by assigning a service endpoint number 878. The SET tablealso includes other fields, for example, a forwarding card LID field606, a forwarding card slice 608 (i.e., port) and a forwarding cardserial line 610. In one embodiment, the NMS fills in these fields with aparticular value (e.g., zero), and in another embodiment, the NMS leavesthese fields blank.

In either case, the particular value or a blank field causes theconfiguration database to send an active query notice to the PPMindicating a new path LID, quadrant number and service endpoint number.It is up to the PPM to decide which forwarding card, slice (i.e.,payload extractor chip) and time slot (i.e., port) to assign to the newuniversal port card path. Once decided, the PPM fills in the SET Tablefields. Since the user and NMS do not completely fill in the SET record,this may be referred to as a “self-completing configuration record.”Self-completing configuration records reduce the administrative workloadof provisioning a network.

The SET and path table records may be automatically copied to persistentstorage 21 to insure that if network device 540 is re-booted theseconfiguration records are maintained. If the network device shuts downprior to the PPM filling in the SET record fields and having thosefields saved in persistent storage, when the network device is rebooted,the SET will still include blank fields or fields with particular valueswhich will cause the configuration database to again send an activequery to the PPM.

When the forwarding card LID (e.g., 1667) corresponding, for example, toforwarding card 546 c, is filled into the SET table, the configurationdatabase sends an active query notification to an SEM (e.g., SEM 96 i)executing on that forwarding card and corresponding to the assignedslice and/or time slots. The active query notifies the SEM of the newlyassigned service endpoint number (e.g., SE 878) and the forwarding cardslice (e.g., payload extractor 582 a) and time slots (i.e., 3 time slotsfrom one of the serial line inputs to payload extractor 582 a) dedicatedto the new path.

Path manager 597 and SEM 96 i both send connection information to across-connection manager 605 executing on cross-connection card 562a—the cross-connection card within their quadrant. The CCM uses theconnection information to generate a connection program table 601 anduses this table to program internal connections through one or morecomponents (e.g., a TSE chip 563) on the cross-connection card. Onceprogrammed, cross-connection card 562 a transmits data between new pathLID 1666 on SONET fiber 576 a connected to port 571 a on universal portcard 554 a and the serial line input to payload extractor 582 a onforwarding card 546 c.

An active query notification is also sent to NMS database 61, and theNMS then displays the new system configuration to the user.

Alternatively, the user may choose which forwarding card to assign tothe new path and notify the NMS. The NMS would then fill in theforwarding card LID in the SET, and the PPM would only determine whichtime slots and slice within the forwarding card to assign.

In the description above, when the PPM is notified of a new path, itcompares the requirements of the new path to the available/unusedforwarding card resources. If the necessary resources are not available,the PPM may signal an error. Alternatively, the PPM could move existingforwarding card resources to make the necessary forwarding cardresources available for the new path. For example, if no payloadextractor chip is completely available in the entire quadrant, one pathrequiring only one time slot is assigned to payload extractor chip 582 aand a new path requires forty-eight time slots, the one path assigned topayload extractor chip 582 a may be moved to another payload extractorchip, for example, payload extractor chip 582 b that has at least onetime slot available and the new path may be assigned all of the timeslots on payload extractor chip 582 a. Moving the existing path isaccomplished by having the PPM modify an existing SET record. The newpath is configured as described above.

Moving existing paths may result in some service disruption. To avoidthis, the provisioning policy may include certain guidelines tohypothesize about future growth. For example, the policy may requiresmall paths—for example, three or less time slots—to be assigned topayload extractor chips that already have some paths assigned instead ofto completely unassigned payload extractor chips to provide a higherlikelihood that forwarding card resources will be available for largepaths—for example, sixteen or more time slots—added in the future.

It will be understood that variations and modifications of the abovedescribed methods and apparatuses will be apparent to those of ordinaryskill in the art and may be made without departing from the inventiveconcepts described herein. Accordingly, the embodiments described hereinare to be viewed merely as illustrative, and not limiting, and theinventions are to be limited solely by the scope and spirit of theappended claims.

What is claimed is:
 1. A computer system comprising: a controlapplication; a device drive process in communication with the controlapplication; a local back-up process for facilitating recovery of thedevice driver process if the device driver process is terminated,wherein the local back-up process is independent of both the devicedriver process and the control application, and a remote back-up processfor facilitating recovery of the control application if the controlapplication is terminated, wherein the remote back-up process isindependent of both the device driver process and the controlapplication.
 2. The computer system of claim 1, wherein the remoteback-up process and the control application communicate through acheck-pointing procedure.
 3. A network device comprising: a controlplane including a control process for establishing and terminatingnetwork connections; a data plane including a device driver process fortransmitting data over network connections established by the controlprocess; a local back-up process for facilitating recovery of the devicedriver process if the device driver process is terminated, a remoteback-up process for facilitating recovery of the control application ifthe control application is terminated, wherein the local back-up processis independent of both the control process and the device driver processand the remote back-up process is independent of both the device driverprocess and the control process.
 4. The network device of claim 3,wherein the control application is an Asynchronous Transfer Modeapplication.
 5. The network device of claim 4, wherein said devicedriver is an Asynchronous Transfer Mode driver corresponding to theAsynchronous Transfer Mode application.
 6. The network device of claim3, wherein the control application is a Multi-Protocol Label Switchingapplication.
 7. The network device of claim 6, wherein said devicedriver is a Multi-Protocol Label Switching driver corresponding to theMulti-Protocol Label Switching application.
 8. The network device ofclaim 3, wherein the control application is an Internet ProtocolApplication.
 9. The network device of claim 8, wherein said devicedriver is an Internet Protocol driver corresponding to the InternetProtocol application.
 10. The network device of claim 3, wherein thecontrol application is a Frame Relay application.
 11. The network deviceof claim 10, wherein said device driver is a Frame Realy drivercorresponding to the Frame Relay application.
 12. A network devicecomprising: a control plane including a control process for establishingand terminating network connections; a data plane including a devicedriver process for transmitting data over network connectionsestablished by the control process; a local back-up process forfacilitating recovery of the device driver process if the device driverprocess is terminated, wherein the local back-up process is independentof both the control process and the device driver process and the remoteback-up process and the control application communicate through acheck-pointing procedure to allow the remote back-up process to storecertain state information representing the active state of the controlapplication.
 13. The network device of claim 12, wherein the controlapplication is an Asynchronous Transfer Mode application.
 14. Thenetwork device of claim 12, wherein said device driver is aMulti-Protocol Label Switching driver corresponding to theMulti-Protocol Label Switching application.
 15. The network device ofclaim 12, wherein said device driver is an Internet Protocol drivercorresponding to the Internet Protocol application.
 16. A method ofoperating a network device, comprising: establishing and terminatingnetwork connections through a modular control application within acontrol plane; transmitting data over network connections established bythe control application through a modular device driver process within adata plane; communicating active state information between the devicedriver process and a local backup process; terminating the device driverprocess; restarting the device driver process; communicating backupstate information stored by the local backup process to the restarteddevice driver process to facilitate recovery of the device driverprocess; and continuing to establish and terminate network connectionsthrough the control application when the device driver process isterminated and restarted.